Skip to content
This repository has been archived by the owner on Oct 10, 2020. It is now read-only.

Commit

Permalink
Browse files Browse the repository at this point in the history
add keyring override config
Closes: #643
Approved by: rhatdan
  • Loading branch information
aweiteka authored and rh-atomic-bot committed Sep 26, 2016
1 parent 09f5ec7 commit c00a197
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 3 deletions.
7 changes: 7 additions & 0 deletions Atomic/push.py
Expand Up @@ -60,6 +60,13 @@ def cli(subparser):
pushp.add_argument("--sign-by", dest="sign_by", default=signer,
help=_("Name of the signing key. Currently %s, "
"default can be defined in /etc/atomic.conf" % signer))
pushp.add_argument("-g", "--gnupghome",
default=None,
dest="gnupghome",
help=_("Set the GNUPGHOME environment variable to "
"use an alternate user's GPG keyring for signing. "
"Useful when running with sudo, "
"e.g. set to '~/.gnupg'."))
# pushp.add_argument("--activation_key_name",
# default=None,
# dest="activation_key_name",
Expand Down
16 changes: 16 additions & 0 deletions Atomic/sign.py
Expand Up @@ -28,6 +28,13 @@ def cli(subparser):
default=None,
dest="signature_path",
help=_("Define an alternate directory to store signatures"))
signp.add_argument("-g", "--gnupghome",
default=None,
dest="gnupghome",
help=_("Set the GNUPGHOME environment variable to "
"use an alternate user's GPG keyring. "
"Useful when running with sudo, "
"e.g. set to '~/.gnupg'."))

class Sign(Atomic):
def __init__(self):
Expand Down Expand Up @@ -57,6 +64,15 @@ def no_reg_no_default_error(image, registry_path):
registry_config_path = '/etc/containers/registries.d' if registry_config_path is None else registry_config_path
registry_configs, default_store = util.get_registry_configs(registry_config_path)

# we honor GNUPGHOME if set, override with atomic.conf, arg overrides all
gpghomedir = None
if self.args.gnupghome:
gpghomedir = self.args.gnupghome
else:
gpghomedir = util.get_atomic_config_item(['gnupg_homedir'])
if gpghomedir:
os.environ['GNUPGHOME'] = gpghomedir

for sign_image in images:
remote_inspect_info = util.skopeo_inspect("docker://{}".format(sign_image))
manifest = util.skopeo_inspect('docker://{}'.format(sign_image), args=['--raw'], return_json=False)
Expand Down
2 changes: 2 additions & 0 deletions atomic.conf
Expand Up @@ -16,3 +16,5 @@ pubkeys_dir: /etc/pki/containers

# Default identity for signing images
# default_signer:
# Absolute path to GPG keyring. Value set as environment variable GNUPGHOME
#gnupg_homedir: /home/USER/.gnupg
16 changes: 13 additions & 3 deletions docs/atomic-sign.1.md
Expand Up @@ -16,6 +16,7 @@ Only use **atomic sign** if you trust the remote registry which contains the ima

[**-d**, **--directory**]
[**--sign-by**]
[**-g**, **--gnupghome**]
[ image ... ]

# DESCRIPTION
Expand All @@ -30,12 +31,14 @@ in /etc/atomic.conf.

**-d** **--directory**
Store the signatures in the specified directory. Default: /var/lib/atomic/signature


**--sign-by**
Override the default identity of the signature. You can define a default in /etc/atomic.conf
with the key **default_signer**.

**-g** **--gnupghome**
Specify the GNUPGHOME directory to use for signing, e.g. ~/.gnupg. This
argument will override the value of **gnupg_homedir** in /etc/atomic.conf.

# EXAMPLES
Sign the foobar image from privateregistry.example.com
Expand All @@ -46,9 +49,9 @@ Sign the foobar image and save the signature in /tmp/signatures/.

atomic sign -d /tmp/signatures privateregistry.example.com

Sign the busybox image with the identify of foo@bar.com
Sign the busybox image with the identify of foo@bar.com with a user's keyring

atomic sign --sign-by foo@bar.com privateregistry.example.com
sudo atomic sign --sign-by foo@bar.com --gnupghome=~/.gnupg privateregistry.example.com

# RELATED CONFIGURATION

Expand Down Expand Up @@ -80,6 +83,13 @@ Now any image from the john repository will use the sigstore-staging location of
means that signatures should be written to that location but read should occur from
the http URL provided.

The user's keyring will be used during signing. When running as root user this may
not be desired. Another keyring may be specified using environment variable GNUPGHOME,
passed in via argument --gnupghome or set in configuration file atomic.conf. For example:

gnupg_homedir: /home/USER/.gnupg

# HISTORY
Initial revision by Brent Baude (bbaude at redhat dot com) August 2016
Updated by Brent Baude (bbaude at redhat dot com) September 2016
Updated by Aaron Weitekamp (aweiteka at redhat dot com) September 2016

0 comments on commit c00a197

Please sign in to comment.