Inline pubkeys in policy.json#853
Conversation
docs/atomic-trust.1.md
Outdated
| for **signedBy** type. | ||
|
|
||
| **-f**_**--file** | ||
| Reference pubkeys as files on host system instead of inlining pubkey data |
There was a problem hiding this comment.
Should this be public keys as files ...inlining public key data
Atomic/trust.py
Outdated
| showp.add_argument('-j', '--json', action='store_true', help="Output as json") | ||
| showp.set_defaults(_class=Trust, func="show") | ||
| addp.add_argument('-f', '--file', action='store_true', | ||
| help=_("Reference pubkeys as files on host system instead " |
Atomic/trust.py
Outdated
| self.atomic_config = util.get_atomic_config() | ||
|
|
||
| def add(self, registry=None, pubkeys=None, sigstore=None, sigstoretype=None, keytype=None, trust_type=None): | ||
| def add(self, registry=None, pubkeys=None, sigstore=None, sigstoretype=None, keytype=None, trust_type=None, pubkeys_file=False): |
There was a problem hiding this comment.
Is pubkeys_file a boolean or a path? Should we just check if path == None
Atomic/trust.py
Outdated
| :param keytype: string, "GPGKeys" | ||
| :param trust_type: string, one of "signedBy", "insecureAcceptAnything", "reject" | ||
| :param sigstore: string, URL of signature server | ||
| :param pubkeys_file: boolean, reference pubkeys as filepath |
There was a problem hiding this comment.
If it is a boolean it should not be called a _file.
aweiteka
force-pushed
the
inline-pubkeys
branch
from
16ef971 to
fd4c073
Compare
|
You are still referencing pubkeys in the --help and man page for the user, I think we should spell it out for those cases. Also the CLI now has --pubkeys and --file? Is this confusing? |
The option is pubkeys but I think I spell it out as "public keys" in the help/manpage. Do you want a longer option like
Yes, possibly. How can we make this less confusing? I considered |
|
Lets discuss this together. |
aweiteka
force-pushed
the
inline-pubkeys
branch
from
2a24429 to
93fb01a
Compare
aweiteka
force-pushed
the
inline-pubkeys
branch
from
93fb01a to
3851f57
Compare
| class Args(): | ||
| def __init__(self): | ||
| self.debug = None | ||
| self.assumeyes = None |
There was a problem hiding this comment.
This can be called from Atomic/pull.py (the auto-discover trust workflow), in which case it fails to pass in global opts. @baude we discussed this. Not sure if there is a more elegant workaround. It works but does seem silly.
| "Keys are parsed and encoded into policy.json. " | ||
| "May used multiple times to define multiple public keys. " | ||
| "File(s) must exist before using this command.")) | ||
| commonp.add_argument("-f", "--pubkeysfile", nargs='?', default=[], |
There was a problem hiding this comment.
Shoudl --pubkeys and --pubkeysfile be mutually exlusive? Or would a user specify both on the same command line?
There was a problem hiding this comment.
It's possible and valid to use both commands, although unexpected. No reason to restrict it, IMO.
|
Tests are failing on assumeyes? |
|
Fixed. |
|
📌 Commit a296d6c has been approved by |
|
@rh-atomic-bot r=rhatdan a296d6c |
Closes: #853 Approved by: rhatdan
|
☀️ Test successful - status-redhatci |
4 participants
Default is now to inline pubkeys as "keyData" strings inside policy.json, with option to reference as installed files ("keyPath") on host system, the previous behavior.
We also now support passing in a URL to a public key.