Remove manifest trust from public access (Azure#6363)

This PR removes:

- the manifest trust sample
- manifest trust related docs
- code coverage settings and project reference related to manifest trust


- [X] I have read the [contribution guidelines](https://github.com/azure/iotedge#contributing).

CodeCoverage.runsettings

@@ -65,7 +65,6 @@ Included items must then not match any entries in the exclude list to remain inc
                 <ModulePath>.*iotedgequickstart\..*</ModulePath>
                 <ModulePath>.*leafdevice\..*</ModulePath>
                 <ModulePath>.*load-gen\..*</ModulePath>
-                <ModulePath>.*manifestsignerclient.*\..*</ModulePath>
                 <ModulePath>.*metricscollector\..*</ModulePath>
                 <ModulePath>.*metricsvalidator\..*</ModulePath>
                 <ModulePath>.*numberlogger\..*</ModulePath>

Microsoft.Azure.Devices.Edge.sln

@@ -199,8 +199,6 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "jsoncanonicalizer", "edge-u
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "es6numberserializer", "edge-util\src\es6numberserializer\es6numberserializer.csproj", "{BE39EC1F-7E7C-4421-93BF-1DF02C1E6A15}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "ManifestSignerClient", "samples\dotnet\ManifestSignerClient\ManifestSignerClient.csproj", "{C4C3CEB4-1177-4D1C-9BAE-EE0453831905}"
-EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "IotedgeDiagnosticsDotnet", "edge-modules\iotedge-diagnostics-dotnet\IotedgeDiagnosticsDotnet.csproj", "{59CF2F3B-5FCC-43BE-B221-1E7A956D4792}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "edge-modules", "edge-modules", "{17D4D30E-7C88-479D-AF04-735DCCBA3AD4}"
@@ -620,12 +618,6 @@ Global
 		{BE39EC1F-7E7C-4421-93BF-1DF02C1E6A15}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{BE39EC1F-7E7C-4421-93BF-1DF02C1E6A15}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{BE39EC1F-7E7C-4421-93BF-1DF02C1E6A15}.Release|Any CPU.Build.0 = Release|Any CPU
-		{C4C3CEB4-1177-4D1C-9BAE-EE0453831905}.CheckInBuild|Any CPU.ActiveCfg = CheckInBuild|Any CPU
-		{C4C3CEB4-1177-4D1C-9BAE-EE0453831905}.CheckInBuild|Any CPU.Build.0 = CheckInBuild|Any CPU
-		{C4C3CEB4-1177-4D1C-9BAE-EE0453831905}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{C4C3CEB4-1177-4D1C-9BAE-EE0453831905}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{C4C3CEB4-1177-4D1C-9BAE-EE0453831905}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{C4C3CEB4-1177-4D1C-9BAE-EE0453831905}.Release|Any CPU.Build.0 = Release|Any CPU
 		{59CF2F3B-5FCC-43BE-B221-1E7A956D4792}.CheckInBuild|Any CPU.ActiveCfg = CheckInBuild|Any CPU
 		{59CF2F3B-5FCC-43BE-B221-1E7A956D4792}.CheckInBuild|Any CPU.Build.0 = CheckInBuild|Any CPU
 		{59CF2F3B-5FCC-43BE-B221-1E7A956D4792}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
@@ -723,7 +715,6 @@ Global
 		{B0151FFD-85C4-42B9-81CC-9193BADFE9F8} = {F921339B-32F9-4BF3-B364-2DB01FA2F1A1}
 		{1915CE7E-E949-4633-9862-D92BD5E873B5} = {66964A75-04AC-4FDE-8505-E6CB2EF90BE8}
 		{BE39EC1F-7E7C-4421-93BF-1DF02C1E6A15} = {66964A75-04AC-4FDE-8505-E6CB2EF90BE8}
-		{C4C3CEB4-1177-4D1C-9BAE-EE0453831905} = {A6D8677F-DB76-459E-B6DE-110AFCEF7F08}
 		{59CF2F3B-5FCC-43BE-B221-1E7A956D4792} = {578D5330-2F72-44C6-9DB5-C93B3F42C473}
 		{72DC75C8-2116-4836-BB95-2D2B5BF34452} = {17D4D30E-7C88-479D-AF04-735DCCBA3AD4}
 		{10886974-CE80-40FC-9647-A9C145DE420C} = {72DC75C8-2116-4836-BB95-2D2B5BF34452}

builds/checkin/e2e-checkin.yaml

@@ -59,7 +59,6 @@ stages:
           identityServicePackageFilter: aziot-identity-service_*_amd64.deb
           builtImages: $[ stageDependencies.PublishManifests.PublishManifest.result ]
           builtPackages: $[ stageDependencies.BuildPackages.linux.result ]
-          skip_notary: false
         steps:
         - template: ../e2e/templates/e2e-setup.yaml
         - template: ../e2e/templates/e2e-run.yaml

builds/e2e/e2e.yaml

@@ -46,8 +46,6 @@ jobs:
       artifactName: iotedged-debian11-arm32v7
       identityServiceArtifactName: packages_debian-11-slim_arm32v7
       identityServicePackageFilter: aziot-identity-service_*_armhf.deb
-      # skip notary installation as it is not supported for ARM platforms
-      skip_notary: true
 
     timeoutInMinutes: 120
 
@@ -98,7 +96,6 @@ jobs:
       artifactName: iotedged-ubuntu18.04-amd64
       identityServiceArtifactName: packages_ubuntu-18.04_amd64
       identityServicePackageFilter: aziot-identity-service_*_amd64.deb
-      skip_notary: false
 
     timeoutInMinutes: 90
 
@@ -124,7 +121,6 @@ jobs:
       identityServiceArtifactName: packages_ubuntu-18.04_amd64
       identityServicePackageFilter: aziot-identity-service_*_amd64.deb
       minimal: true
-      skip_notary: false
 
     steps:
     - template: templates/e2e-setup.yaml
@@ -147,7 +143,6 @@ jobs:
       artifactName: iotedged-ubuntu20.04-amd64
       identityServiceArtifactName: packages_ubuntu-20.04_amd64
       identityServicePackageFilter: aziot-identity-service_*_amd64.deb
-      skip_notary: false
 
     timeoutInMinutes: 90
 
@@ -172,7 +167,6 @@ jobs:
       identityServiceArtifactName: packages_ubuntu-20.04_amd64
       identityServicePackageFilter: aziot-identity-service_*_amd64.deb
       minimal: true
-      skip_notary: false
 
     steps:
     - template: templates/e2e-setup.yaml
@@ -193,8 +187,6 @@ jobs:
       artifactName: iotedged-ubuntu20.04-aarch64
       identityServiceArtifactName: packages_ubuntu-20.04_aarch64
       identityServicePackageFilter: aziot-identity-service_*_arm64.deb
-      # skip notary installation as it is not supported for ARM platforms
-      skip_notary: true
 
     timeoutInMinutes: 120
 
@@ -220,7 +212,6 @@ jobs:
       artifactName: iotedged-centos7-amd64
       identityServiceArtifactName: packages_centos-7_amd64
       identityServicePackageFilter: aziot-identity-service-*.x86_64.rpm
-      skip_notary: false
 
     steps:
     - template: templates/e2e-clean-directory.yaml
@@ -244,7 +235,6 @@ jobs:
       artifactName: iotedged-redhat8-amd64
       identityServiceArtifactName: packages_redhat-ubi8-latest_amd64
       identityServicePackageFilter: aziot-identity-service-*.x86_64.rpm
-      skip_notary: false
 
     steps:
     - template: templates/e2e-setup.yaml
@@ -272,8 +262,6 @@ jobs:
       verbose: true
       # skip component governance detection to avoid proxy issues. It is checked in the other jobs.
       skipComponentGovernanceDetection: true
-      # skip notary installation as it has known issues working with proxy
-      skip_notary: true
 
     timeoutInMinutes: 120
 

builds/e2e/templates/e2e-run.yaml

@@ -13,13 +13,16 @@ parameters:
 #   NestedEdgeAmqpOnly: Only applies to nested edge cases using amqp upstream protocol
 #   LegacyMqttRequired: Only applies to cases with the edgehub legacy mqtt protocol head
 #   BrokerRequired: Only applies to cases with the broker enabled
+#   SkipManifestTrust: Only applies to manifest/content trust tests
 steps:
 - pwsh: |
     $testFile = '$(binDir)/Microsoft.Azure.Devices.Edge.Test.dll'
     $test_type = '${{ parameters.test_type }}'
 
     # Filter out flaky tests.
     $filter = 'Category!=Flaky'
+    # Filter out Manifest trust tests.
+    $filter += '&Category!=SkipManifestTrust'
     if ('$(minimal)' -eq 'true')
     {
       $filter += '&Name~TempSensor'
@@ -58,7 +61,7 @@ steps:
     elseif ($test_type -eq 'http_proxy')
     {
       #Disable tests that don't work in proxy environment. Renable post-investigation.
-      $filter += '&FullyQualifiedName!~PlugAndPlay&FullyQualifiedName!~ValidateMetrics&FullyQualifiedName!~contenttrust'
+      $filter += '&FullyQualifiedName!~PlugAndPlay&FullyQualifiedName!~ValidateMetrics'
       #Disable nested edge tests
       $filter += '&Category!=NestedEdgeOnly'
     }
@@ -83,7 +86,6 @@ steps:
     E2E_EVENT_HUB_ENDPOINT: ${{ parameters['EventHubCompatibleEndpoint'] }}
     E2E_IOT_HUB_CONNECTION_STRING: ${{ parameters['IotHubConnectionString'] }}
     E2E_REGISTRIES__0__PASSWORD: $(TestContainerRegistryPassword)
-    E2E_REGISTRIES__1__PASSWORD: $(TestContentTrustRegistryPassword)
     E2E_ROOT_CA_PASSWORD: $(TestRootCaPassword)
     E2E_BLOB_STORE_SAS: $(TestBlobStoreSas)
     no_proxy: 'localhost'

builds/e2e/templates/e2e-setup.yaml

@@ -20,14 +20,7 @@ steps:
         TestRootCaCertificate,
         TestRootCaKey,
         TestRootCaPassword,
-        TestBlobStoreSas,
-        TestManifestSigningGoodRootCa,
-        TestManifestSigningIntermediateCa,
-        TestManifestSigningSignerCert,
-        TestManifestSigningSignerKey,
-        TestManifestSigningBadRootCa,
-        TestContentTrustRootCa,
-        TestContentTrustRegistryPassword,
+        TestBlobStoreSas
 
   - bash: | 
       echo "Built Images Result is $(builtImages)"
@@ -51,15 +44,6 @@ steps:
     name: check_use_artifacts
     displayName: Check Use Pipeline Image Artifacts
 
-  - bash: |
-      wget https://github.com/theupdateframework/notary/releases/download/v0.6.0/notary-Linux-amd64
-      chmod +x notary-Linux-amd64
-      sudo mv notary-Linux-amd64 /usr/bin/notary
-      ls -l /usr/bin
-    name: install_notary_for_content_trust
-    displayName: Install Notary for Content Trust
-    condition: eq(variables['skip_notary'], 'false')
-
   - task: DownloadPipelineArtifact@2
     displayName: Download Pipeline Build Images
     condition: eq(variables['check_use_artifacts.UsePipelineImageArtifacts'],'true')
@@ -135,41 +119,6 @@ steps:
       http_proxy: $(Agent.ProxyUrl)
       https_proxy: $(Agent.ProxyUrl)
     displayName: Build tests
-    
-  - pwsh: |
-      $manifestSignerClientDir = '$(Build.SourcesDirectory)/samples/dotnet/ManifestSignerClient'
-      dotnet build $manifestSignerClientDir
-      $manifestSignerClientBinDir = Convert-Path "$manifestSignerClientDir/bin/Debug/net6.0"
-      Write-Output "##vso[task.setvariable variable=manifestSignerClientDir]$manifestSignerClientDir"
-      Write-Output "##vso[task.setvariable variable=manifestSignerClientBinDir]$manifestSignerClientBinDir"
-      $manifestSigningTestDir = '$(System.ArtifactsDirectory)/manifest_signing'
-      $manifestSigningDeploymentDir = '$(System.ArtifactsDirectory)/manifest_signing/deployment'
-      Write-Output "##vso[task.setvariable variable=manifestSigningDeploymentDir]$manifestSigningDeploymentDir"
-      $manifestSigningCertDir = '$(System.ArtifactsDirectory)/manifest_signing/certs'
-      $contentTrustCertDir = '$(System.ArtifactsDirectory)/content_trust/certs'
-      New-Item "$manifestSigningCertDir" -ItemType Directory -Force | Out-Null
-      New-Item "$contentTrustCertDir" -ItemType Directory -Force | Out-Null
-      New-Item "$manifestSigningDeploymentDir" -ItemType Directory -Force | Out-Null
-      New-Item -Path "$manifestSigningDeploymentDir/deployment.json" -ItemType File
-      New-Item -Path "$manifestSigningDeploymentDir/signed_deployment.json" -ItemType File
-      $env:GOOD_ROOT_CA_CERT | Out-File -Encoding Utf8 "$manifestSigningCertDir/good_root_ca.pem"
-      $env:BAD_ROOT_CA_CERT | Out-File -Encoding Utf8 "$manifestSigningCertDir/bad_root_ca.pem"
-      $env:INTERMEDIATE_CA_CERT | Out-File -Encoding Utf8 "$manifestSigningCertDir/intermediate_ca.pem"
-      $env:SIGNER_CERT | Out-File -Encoding Utf8 "$manifestSigningCertDir/signer_cert.pem"
-      $env:SIGNER_KEY | Out-File -Encoding Utf8 "$manifestSigningCertDir/signer_key.key"
-      $env:CONTENT_TRUST_ROOT_CA_CERT | Out-File -Encoding Utf8 "$contentTrustCertDir/content_trust_root_ca.pem"
-      Write-Output "##vso[task.setvariable variable=manifestSigningCertDir]$manifestSigningCertDir"
-      Write-Output "##vso[task.setvariable variable=contentTrustCertDir]$contentTrustCertDir"
-    displayName: Manifest Trust Setup 
-    env:
-      GOOD_ROOT_CA_CERT: $(TestManifestSigningGoodRootCa)
-      BAD_ROOT_CA_CERT: $(TestManifestSigningBadRootCa)
-      INTERMEDIATE_CA_CERT: $(TestManifestSigningIntermediateCa)
-      SIGNER_CERT: $(TestManifestSigningSignerCert)
-      SIGNER_KEY: $(TestManifestSigningSignerKey)
-      CONTENT_TRUST_ROOT_CA_CERT : $(TestContentTrustRootCa)
-      http_proxy: $(Agent.ProxyUrl)
-      https_proxy: $(Agent.ProxyUrl)
 
   - pwsh: |
       $imageId = Get-Content -Encoding Utf8 `
@@ -211,39 +160,6 @@ steps:
         $edgeHubImage = "$imagePrefix-hub:$imageTag";
       }
 
-      $testManifestSigningGoodRootCaPath = Convert-Path "$(manifestSigningCertDir)/good_root_ca.pem";
-      $testManifestSigningBadRootCaPath = Convert-Path "$(manifestSigningCertDir)/bad_root_ca.pem";
-      $testManifestSigningIntermediateCaPath = Convert-Path "$(manifestSigningCertDir)/intermediate_ca.pem";
-      $testManifestSigningSignerCertPath = Convert-Path "$(manifestSigningCertDir)/signer_cert.pem";
-      $testManifestSigningSignerKeyPath = Convert-Path "$(manifestSigningCertDir)/signer_key.key";
-      $testManifestSigningDeploymentPath = Convert-Path "$(manifestSigningDeploymentDir)/deployment.json";
-      $testManifestSigningSignedDeploymentPath = Convert-Path "$(manifestSigningDeploymentDir)/signed_deployment.json";
-      $testManifestSignerClientDirectory = Convert-Path "$(manifestSignerClientDir)";
-      $testManifestSignerClientProjectPath = Convert-Path "$(manifestSignerClientDir)/ManifestSignerClient.csproj";
-      $testManifestSigningLaunchSettingsPath = Convert-Path "$(manifestSignerClientDir)/Properties/launchSettings.json";
-      $testContentTrustRootCaPath = Convert-Path "$(contentTrustCertDir)/content_trust_root_ca.pem";
-
-      $testManifestSigningDefaultLaunchSettings = @{
-        profiles = @{
-          ManifestSignerClient = @{
-            commandName = "Project";
-            environmentVariables = @{  
-              USE_TESTING_CA = "true";
-              DEPLOYMENT_MANIFEST_FILE_PATH = "$testManifestSigningDeploymentPath";
-              SIGNED_DEPLOYMENT_MANIFEST_FILE_PATH = "$testManifestSigningSignedDeploymentPath";
-              MANIFEST_TRUST_INTERMEDIATE_CA_PATH = "$testManifestSigningIntermediateCaPath";
-              MANIFEST_TRUST_SIGNER_PRIVATE_KEY_PATH = "$testManifestSigningSignerKeyPath";
-              MANIFEST_TRUST_SIGNER_CERT_PATH = "$testManifestSigningSignerCertPath";
-              DSA_ALGORITHM = "ES256";
-            }
-          }
-        }
-      };
-
-      $testManifestSigningDefaultLaunchSettings = $testManifestSigningDefaultLaunchSettings | ConvertTo-Json -Depth 3 
-      $testManifestSigningDefaultLaunchSettings | Out-File -Encoding Utf8 "$testManifestSigningLaunchSettingsPath"
-      Get-Content -Path "$testManifestSigningLaunchSettingsPath"
-
       echo "Edge agent image: $edgeAgentImage"
       echo "Edge hub image: $edgeHubImage"
   
@@ -271,10 +187,6 @@ steps:
           @{
             address = '$(cr.address)';
             username = '$(cr.username)';
-          },
-          @{
-            address = '$(contenttrust.address)';
-            username = '$(contenttrust.username)';
           }
         );
         packagePath = Convert-Path '$(System.ArtifactsDirectory)/$(artifactName)';
@@ -284,18 +196,6 @@ steps:
         logFile = Join-Path '$(binDir)' 'testoutput.log';
         verbose = '$(verbose)';
         getSupportBundle = 'true';
-        manifestSigningDeploymentPath = "$testManifestSigningDeploymentPath";
-        manifestSigningSignedDeploymentPath = "$testManifestSigningSignedDeploymentPath";
-        manifestSigningGoodRootCaPath = "$testManifestSigningGoodRootCaPath";
-        manifestSigningBadRootCaPath = "$testManifestSigningBadRootCaPath";
-        manifestSigningDefaultLaunchSettings = "$testManifestSigningDefaultLaunchSettings";
-        manifestSigningLaunchSettingsPath = "$testManifestSigningLaunchSettingsPath";
-        manifestSignerClientDirectory = "$testManifestSignerClientDirectory";
-        manifestSignerClientProjectPath = "$testManifestSignerClientProjectPath";
-        contentTrustRootCaPath = "$testContentTrustRootCaPath";
-        contentTrustRegistryName = "${env:CONTENTTRUST_ADDRESS}";
-        contentTrustSignedImage = "${env:CONTENTTRUST_SIGNEDIMAGE}";
-        contentTrustUnsignedImage = "${env:CONTENTTRUST_UNSIGNEDIMAGE}";
       }
   
       if ('$(nestededge)' -eq 'true')