stage0/trust: change error message if prefix/root flag missing #2661
Conversation
| To continue trusting this root domain: | ||
| rkt %s --root %s PUBKEY (local key file, no discovery) | ||
| Or, establish a smaller scope with a prefix: | ||
| rkt %s --prefix "example.com/hello" |
There was a problem hiding this comment.
@jonboulle I deleted the PUBKEY in the lines with the prefix. I hope you meant this in #480 (comment). But i am not sure if this is correct according to https://github.com/coreos/rkt/blob/master/Documentation/subcommands/trust.md#trust-a-key-from-specific-location
There was a problem hiding this comment.
I also suspect this is not correct. From a quick look at the code, PUBKEY can be always specified. If omitted, it will be auto-discovered only if a prefix is specified.
There was a problem hiding this comment.
I just tested it with a fresh build of the latest master:
matthiasjahn@ubuntu:~/rkt$ ./build-rkt-1.7.0+git/bin/rkt trust --prefix coreos.com/etcd
pubkey: prefix: "coreos.com/etcd"
key: "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg"
gpg key fingerprint is: 8B86 DE38 890D DB72 9186 7B02 5210 BD88 8818 2190
CoreOS ACI Builder <release@coreos.com>
Are you sure you want to trust this key (yes/no)?
^C
matthiasjahn@ubuntu:~/rkt$ ./build-rkt-1.7.0+git/bin/rkt trust --prefix coreos.com/etcd https://coreos.com/dist/pubkeys/aci-pubkeys.gpg
pubkey: prefix: "coreos.com/etcd"
key: "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg"
gpg key fingerprint is: 8B86 DE38 890D DB72 9186 7B02 5210 BD88 8818 2190
CoreOS ACI Builder <release@coreos.com>
Are you sure you want to trust this key (yes/no)?
^C
matthiasjahn@ubuntu:~/rkt$ ./build-rkt-1.7.0+git/bin/rkt trust --prefix coreos.com/etcd aci-pubkeys.gpg
pubkey: prefix: "coreos.com/etcd"
key: "aci-pubkeys.gpg"
gpg key fingerprint is: 8B86 DE38 890D DB72 9186 7B02 5210 BD88 8818 2190
CoreOS ACI Builder <release@coreos.com>
Are you sure you want to trust this key (yes/no)?
^C
matthiasjahn@ubuntu:~/rkt$ ./build-rkt-1.7.0+git/bin/rkt trust --root aci-pubkeys.gpg
pubkey: prefix: ""
key: "aci-pubkeys.gpg"
gpg key fingerprint is: 8B86 DE38 890D DB72 9186 7B02 5210 BD88 8818 2190
CoreOS ACI Builder <release@coreos.com>
Are you sure you want to trust this key (yes/no)?
^C
matthiasjahn@ubuntu:~/rkt$ ./build-rkt-1.7.0+git/bin/rkt trust --root https://coreos.com/dist/pubkeys/aci-pubkeys.gpg
pubkey: prefix: ""
key: "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg"
gpg key fingerprint is: 8B86 DE38 890D DB72 9186 7B02 5210 BD88 8818 2190
CoreOS ACI Builder <release@coreos.com>
Are you sure you want to trust this key (yes/no)?
^C
So it seems, with --prefix it is possible without a PUBKEY (auto-discovery) or with a local PUBKEY-file or with a PUBKEY-file via URL. With --root it has to be a PUBKEY - either local or via URL. Does it mean that the last line: To trust a key for an entire root domain, you must use the --root flag, with a path to a local key file (no discovery) in https://github.com/coreos/rkt/blob/master/Documentation/subcommands/trust.md#rkt-trust should be changed, since it says with a path to a local key file but a URL is also possible? Then i can change that also in this PR if you want.
My suggestion now:
trust: Prevented potentially dangerous unbounded trust of all containers signed by keys from coreos.com
To continue trusting a specific prefix of this domain:
rkt trust --prefix "coreos.com/foo" [PUBKEY]
rkt trust --prefix "coreos.com/foo/*" [PUBKEY]
Or, trust the root domain:
rkt trust --root PUBKEY
Well, i hope i am right. @lucab what do you think?
There was a problem hiding this comment.
@matthaias that's also my understanding.
I was double checking with the code, and I think the remote keyfile option is there on purpose. Thus I guess doc should just mention with a path to a key file (no discovery) (:+1: for spotting it).
Regarding the message, I would try to avoid guessing what the user was doing (ie. rkt trust my_key.pub.gpg is a whole different story, but will be shown your error). It is ok if you hardcode example.com and keep wording similar to your current message, like:
trust: aborting due to implicit unbounded trust (root domain)
Please provide a specific domain prefix to trust:
rkt trust --prefix "example.com/foo" [PUBKEY]
rkt trust --prefix "example.com/foo/*" [PUBKEY]
Otherwise, trust at the root domain (not recommended) must be explicitly requested:
rkt trust --root PUBKEY
There was a problem hiding this comment.
Thanks for your feedback @lucab, i will change the error message to your suggestion, change the doc and squash it to one commit.
|
Woops, i didn't expect to brake the build. I hope i can fix this tomorrow. |
|
@matthaias sorry for the delay in giving feedback on this. It looks like there are some spurious commits/merges on this branch, can you please squash them in a single commit? |
|
No worries, take your time.
Of course, i just wanted to be sure that this change is correct. So if it's ok, i wait for a approve of somebody? |
| @@ -59,7 +59,15 @@ func init() { | |||
| func runTrust(cmd *cobra.Command, args []string) (exit int) { | |||
| if flagPrefix == "" && !flagRoot { | |||
| if len(args) != 0 { | |||
| stderr.Print("--root required for non-prefixed (root) keys") | |||
| trustName := args[0] | |||
| cmdName := "trust" | |||
There was a problem hiding this comment.
This is effectively already hardcoded, you can put it directly into the error message.
Ah sorry, I just had a quick look at it and saw that the history was a bit muddy. |
Error message is not helpful at the moment for the user Fixes rkt#480
matthaias
force-pushed
the
improve-ux-for-root-keys
branch
from
151af22
to
c3bc7cc
Compare
|
@matthaias looks great, thanks! |
lucab
changed the title
Error message is not helpful at the moment for the user
Fixes #480
@jonboulle can you please take a look at this. I am not sure if this is ok so, this is my first code change in a golang project and rkt :)
The result is: