add keyring override config

Closes: #643
Approved by: rhatdan

Atomic/push.py

@@ -60,6 +60,13 @@ def cli(subparser):
     pushp.add_argument("--sign-by", dest="sign_by", default=signer,
                        help=_("Name of the signing key. Currently %s, "
                               "default can be defined in /etc/atomic.conf" % signer))
+    pushp.add_argument("-g", "--gnupghome",
+                       default=None,
+                       dest="gnupghome",
+                       help=_("Set the GNUPGHOME environment variable to "
+                              "use an alternate user's GPG keyring for signing. "
+                              "Useful when running with sudo, "
+                              "e.g. set to '~/.gnupg'."))
     # pushp.add_argument("--activation_key_name",
     #                      default=None,
     #                      dest="activation_key_name",

Atomic/sign.py

@@ -28,6 +28,13 @@ def cli(subparser):
                        default=None,
                        dest="signature_path",
                        help=_("Define an alternate directory to store signatures"))
+    signp.add_argument("-g", "--gnupghome",
+                       default=None,
+                       dest="gnupghome",
+                       help=_("Set the GNUPGHOME environment variable to "
+                              "use an alternate user's GPG keyring. "
+                              "Useful when running with sudo, "
+                              "e.g. set to '~/.gnupg'."))
 
 class Sign(Atomic):
     def __init__(self):
@@ -57,6 +64,15 @@ class Sign(Atomic):
         registry_config_path = '/etc/containers/registries.d' if registry_config_path is None else registry_config_path
         registry_configs, default_store = util.get_registry_configs(registry_config_path)
 
+        # we honor GNUPGHOME if set, override with atomic.conf, arg overrides all
+        gpghomedir =  None
+        if self.args.gnupghome:
+            gpghomedir = self.args.gnupghome
+        else:
+            gpghomedir = util.get_atomic_config_item(['gnupg_homedir'])
+        if gpghomedir:
+            os.environ['GNUPGHOME'] = gpghomedir
+
         for sign_image in images:
             remote_inspect_info = util.skopeo_inspect("docker://{}".format(sign_image))
             manifest = util.skopeo_inspect('docker://{}'.format(sign_image), args=['--raw'], return_json=False)

atomic.conf

@@ -16,3 +16,5 @@ pubkeys_dir: /etc/pki/containers
 
 # Default identity for signing images
 # default_signer:
+# Absolute path to GPG keyring. Value set as environment variable GNUPGHOME
+#gnupg_homedir: /home/USER/.gnupg

docs/atomic-sign.1.md

@@ -16,6 +16,7 @@ Only use **atomic sign** if you trust the remote registry which contains the ima
 
 [**-d**, **--directory**]
 [**--sign-by**]
+[**-g**, **--gnupghome**]
 [ image ... ]
 
 # DESCRIPTION
@@ -30,12 +31,14 @@ in /etc/atomic.conf.
 
 **-d** **--directory**
   Store the signatures in the specified directory.  Default: /var/lib/atomic/signature
- 
 
 **--sign-by**
   Override the default identity of the signature. You can define a default in /etc/atomic.conf
   with the key **default_signer**.
 
+**-g** **--gnupghome**
+  Specify the GNUPGHOME directory to use for signing, e.g. ~/.gnupg. This
+  argument will override the value of **gnupg_homedir** in /etc/atomic.conf.
 
 # EXAMPLES
 Sign the foobar image from privateregistry.example.com
@@ -46,9 +49,9 @@ Sign the foobar image and save the signature in /tmp/signatures/.
 
     atomic sign -d /tmp/signatures privateregistry.example.com
 
-Sign the busybox image with the identify of foo@bar.com
+Sign the busybox image with the identify of foo@bar.com with a user's keyring
 
-    atomic sign --sign-by foo@bar.com privateregistry.example.com
+   sudo atomic sign --sign-by foo@bar.com --gnupghome=~/.gnupg privateregistry.example.com
 
 # RELATED CONFIGURATION
 
@@ -80,6 +83,13 @@ Now any image from the john repository will use the sigstore-staging location of
 means that signatures should be written to that location but read should occur from
 the http URL provided.
 
+The user's keyring will be used during signing. When running as root user this may
+not be desired. Another keyring may be specified using environment variable GNUPGHOME,
+passed in via argument --gnupghome or set in configuration file atomic.conf. For example:
+
+gnupg_homedir: /home/USER/.gnupg
+
 # HISTORY
 Initial revision by Brent Baude (bbaude at redhat dot com) August 2016
 Updated by Brent Baude (bbaude at redhat dot com) September 2016
+Updated by Aaron Weitekamp (aweiteka at redhat dot com) September 2016