Making `NOTATION_USERNAME` and `NOTATION_PASSWORD` secure

[shizhMSFT]

What is the areas you would like to add the new feature to?

Notation CLI

Is your feature request related to a problem?

The environment variables NOTATION_USERNAME and NOTATION_PASSWORD are considered as insecure and not suitable for production since it is possible to leak them to its child processes like plugins.

What solution do you propose?

Remove those environment variables when spawning child process (i.e. plugin process) while keeping other environment variables.

What alternatives have you considered?

It is always good to configure a credential store.

Any additional context?

No response

[kokamkarsahil]

Alternate solution

We can use SOPS[0] to encrypt the .env using AWS KMS, Azure Key Vault, age, or PGP.

Example

It stores the values in an encrypted format which can be decrypted and used.

SOPS also got approved for CNCF sandbox recently: Sandbox Application Board - next review February 25, 2025 (view)

Cons

The last update was over a year ago. (As it's approved for CNCF sandbox, we can expect updates.)

IRC there was also a Docker credential issue which was in discussion. We can also make use of SOPS for it.

---

0. https://github.com/mozilla/sops, https://pkg.go.dev/go.mozilla.org/sops