diff --git a/Atomic/push.py b/Atomic/push.py index b33f00c..0116490 100644 --- a/Atomic/push.py +++ b/Atomic/push.py @@ -60,6 +60,13 @@ def cli(subparser): pushp.add_argument("--sign-by", dest="sign_by", default=signer, help=_("Name of the signing key. Currently %s, " "default can be defined in /etc/atomic.conf" % signer)) + pushp.add_argument("-g", "--gnupghome", + default=None, + dest="gnupghome", + help=_("Set the GNUPGHOME environment variable to " + "use an alternate user's GPG keyring for signing. " + "Useful when running with sudo, " + "e.g. set to '~/.gnupg'.")) # pushp.add_argument("--activation_key_name", # default=None, # dest="activation_key_name", diff --git a/Atomic/sign.py b/Atomic/sign.py index efdf357..3e0d735 100644 --- a/Atomic/sign.py +++ b/Atomic/sign.py @@ -28,6 +28,13 @@ def cli(subparser): default=None, dest="signature_path", help=_("Define an alternate directory to store signatures")) + signp.add_argument("-g", "--gnupghome", + default=None, + dest="gnupghome", + help=_("Set the GNUPGHOME environment variable to " + "use an alternate user's GPG keyring. " + "Useful when running with sudo, " + "e.g. set to '~/.gnupg'.")) class Sign(Atomic): def __init__(self): @@ -57,6 +64,15 @@ class Sign(Atomic): registry_config_path = '/etc/containers/registries.d' if registry_config_path is None else registry_config_path registry_configs, default_store = util.get_registry_configs(registry_config_path) + # we honor GNUPGHOME if set, override with atomic.conf, arg overrides all + gpghomedir = None + if self.args.gnupghome: + gpghomedir = self.args.gnupghome + else: + gpghomedir = util.get_atomic_config_item(['gnupg_homedir']) + if gpghomedir: + os.environ['GNUPGHOME'] = gpghomedir + for sign_image in images: remote_inspect_info = util.skopeo_inspect("docker://{}".format(sign_image)) manifest = util.skopeo_inspect('docker://{}'.format(sign_image), args=['--raw'], return_json=False) diff --git a/atomic.conf b/atomic.conf index 886b38f..54f3ed0 100644 --- a/atomic.conf +++ b/atomic.conf @@ -16,3 +16,5 @@ pubkeys_dir: /etc/pki/containers # Default identity for signing images # default_signer: +# Absolute path to GPG keyring. Value set as environment variable GNUPGHOME +#gnupg_homedir: /home/USER/.gnupg diff --git a/docs/atomic-sign.1.md b/docs/atomic-sign.1.md index 1a0feb7..c183de6 100644 --- a/docs/atomic-sign.1.md +++ b/docs/atomic-sign.1.md @@ -16,6 +16,7 @@ Only use **atomic sign** if you trust the remote registry which contains the ima [**-d**, **--directory**] [**--sign-by**] +[**-g**, **--gnupghome**] [ image ... ] # DESCRIPTION @@ -30,12 +31,14 @@ in /etc/atomic.conf. **-d** **--directory** Store the signatures in the specified directory. Default: /var/lib/atomic/signature - **--sign-by** Override the default identity of the signature. You can define a default in /etc/atomic.conf with the key **default_signer**. +**-g** **--gnupghome** + Specify the GNUPGHOME directory to use for signing, e.g. ~/.gnupg. This + argument will override the value of **gnupg_homedir** in /etc/atomic.conf. # EXAMPLES Sign the foobar image from privateregistry.example.com @@ -46,9 +49,9 @@ Sign the foobar image and save the signature in /tmp/signatures/. atomic sign -d /tmp/signatures privateregistry.example.com -Sign the busybox image with the identify of foo@bar.com +Sign the busybox image with the identify of foo@bar.com with a user's keyring - atomic sign --sign-by foo@bar.com privateregistry.example.com + sudo atomic sign --sign-by foo@bar.com --gnupghome=~/.gnupg privateregistry.example.com # RELATED CONFIGURATION @@ -80,6 +83,13 @@ Now any image from the john repository will use the sigstore-staging location of means that signatures should be written to that location but read should occur from the http URL provided. +The user's keyring will be used during signing. When running as root user this may +not be desired. Another keyring may be specified using environment variable GNUPGHOME, +passed in via argument --gnupghome or set in configuration file atomic.conf. For example: + +gnupg_homedir: /home/USER/.gnupg + # HISTORY Initial revision by Brent Baude (bbaude at redhat dot com) August 2016 Updated by Brent Baude (bbaude at redhat dot com) September 2016 +Updated by Aaron Weitekamp (aweiteka at redhat dot com) September 2016