From 120b5d8ce104329e06cbad25afe0da3e5491332e Mon Sep 17 00:00:00 2001
From: Aaron Weitekamp <aweiteka@redhat.com>
Date: Tue, 7 Feb 2017 11:55:28 -0500
Subject: [PATCH] Support adding pubkeys from local keyring

Closes: #878
Approved by: rhatdan
---
 Atomic/trust.py        | 19 +++++++++++++++----
 docs/atomic-trust.1.md |  7 ++++---
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/Atomic/trust.py b/Atomic/trust.py
index 2c6b451..9464cf7 100644
--- a/Atomic/trust.py
+++ b/Atomic/trust.py
@@ -28,10 +28,11 @@ def cli(subparser):
                      atomic: openshift-based atomic registry"""
     commonp.add_argument("-k", "--pubkeys", nargs='?', default=[],
                          action="append", dest="pubkeys",
-                         help=_("Local path or URL of public key(s) to trust for TARGET. "
+                         help=_("Local path, URL of public key(s) or local user GPG "
+                                "keyring ID to trust for TARGET. "
                                 "Keys are parsed and encoded into policy.json. "
                                 "May used multiple times to define multiple public keys. "
-                                "File(s) must exist before using this command."))
+                                "File references must exist before using this command."))
     commonp.add_argument("-f", "--pubkeysfile", nargs='?', default=[],
                          action="append", dest="pubkeysfile",
                          help=_("Path of installed public key(s) to trust for TARGET. "
@@ -204,8 +205,9 @@ class Trust(Atomic):
 
     def get_pubkey_data(self, key_reference):
         """
-        Get public key base64 encoded string to embed as keyData in policy.json
+        Return public key base64 encoded string to embed as keyData in policy.json
         :param key_reference: local file or download URI of public key
+                              also accepts local user GPG keyring ID
         :return: encoded pubkey string or False
         """
         try:
@@ -217,7 +219,16 @@ class Trust(Atomic):
         token = urlparse(key_reference)
         if not token.scheme or not token.netloc:
             if not os.path.exists(key_reference):
-                raise ValueError("The public key file %s was not found. This file must exist to proceed." % key_reference)
+                cmd = ["gpg2", "--armor", "--export", key_reference]
+                keydata = util.check_output(cmd)
+                if not keydata:
+                    raise ValueError("The public key reference '%s' was not "
+                                     "found as a file or in the user's GPG "
+                                     "keyring. Do you have any keys listed "
+                                     "with 'gpg2 --list-keys'? Or try "
+                                     "setting 'GNUPGHOME=~/.gnupg' or edit "
+                                     "'/etc/atomic.conf' to reference user's "
+                                     "GPG keyring." % key_reference)
             else:
                 with open(key_reference, 'r') as f:
                     keydata = f.read()
diff --git a/docs/atomic-trust.1.md b/docs/atomic-trust.1.md
index 0ee2b56..e070852 100644
--- a/docs/atomic-trust.1.md
+++ b/docs/atomic-trust.1.md
@@ -50,9 +50,10 @@ testing.
   Print usage statement.
 
 **-k** **--pubkeys**
-  A reference to a local file or download URL to an exported public key. Keys
-  will be parsed and encoded inline with policy.json. Option may be used
-  multiple times to require an image be sigend by multiple keys. One of
+  A reference to a local file, download URL to an exported public key or a
+  local user GPG keyring ID (see output of 'gpg2 --list-keys'). Keys are
+  parsed and encoded inline with policy.json. Option may be used multiple
+  times to require an image be sigend by multiple keys. One of
   **--pubkeys** or **--pubkeysfile** is required for **signedBy** type. This
   option is recommended over **--pubkeysfile**.