github.com/stackdocker/rkt@v0.10.1-0.20151109095037-1aa827478248/Documentation/subcommands/trust.md

github.com/stackdocker/rkt@v0.10.1-0.20151109095037-1aa827478248/Documentation/subcommands/trust.md (about)

     1  # rkt trust
     2  
     3  Before executing a remotely fetched ACI, rkt will verify it based on attached signatures generated by the ACI creator.
     4  
     5  Before this can happen, rkt needs to know which creators you trust, and therefore are trusted to run images on your machine. The identity of each ACI creator is established with a public key, which is placed in rkt's key store on disk.
     6  
     7  When adding a trusted key, a prefix can scope the level of established trust to a subset of images. A few examples:
     8  
     9  ```
    10  # rkt trust --prefix=storage.coreos.com
    11  ```
    12  
    13  ```
    14  # rkt trust --prefix=coreos.com/etcd
    15  ```
    16  
    17  To trust a key for an entire root domain, you must use the `--root` flag, with a path to a local key file (no discovery). 
    18  
    19  ```
    20  # rkt trust --root ~/aci-pubkeys.gpg
    21  ```
    22  
    23  ## Trust a Key Using Meta Discovery
    24  
    25  The easiest way to trust a key is through meta discovery. rkt will find and download a public key that the creator has published on their website. This process is detailed in the [Application Container specification][appc-discovery]. The TL;DR is rkt will find a meta tag that looks like:
    26  
    27  ```html
    28  <meta name="ac-discovery-pubkeys" content="coreos.com/etcd https://coreos.com/dist/pubkeys/aci-pubkeys.gpg">
    29  ```
    30  
    31  And use it to download the public key and present it to you for approval:
    32  
    33  ```
    34  # rkt trust --prefix=coreos.com/etcd
    35  Prefix: "coreos.com/etcd"
    36  Key: "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg"
    37  GPG key fingerprint is: 8B86 DE38 890D DB72 9186  7B02 5210 BD88 8818 2190
    38    CoreOS ACI Builder <release@coreos.com>
    39  Are you sure you want to trust this key (yes/no)? yes
    40  Trusting "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg" for prefix "coreos.com/etcd".
    41  Added key for prefix "coreos.com/etcd" at "/etc/rkt/trustedkeys/prefix.d/coreos.com/etcd/8b86de38890ddb7291867b025210bd8888182190"
    42  ```
    43  
    44  If rkt can't find a key using meta discovery, an error will be printed:
    45  
    46  ```
    47  # rkt trust --prefix=coreos.com
    48  Error determining key location: --prefix meta discovery error: found no ACI meta tags
    49  ```
    50  
    51  ## Trust a Key From Specific Location
    52  
    53  If you know where a public key is located, you can request it directly from disk or via HTTPS:
    54  
    55  ```
    56  # rkt trust --prefix=coreos.com/etcd https://coreos.com/dist/pubkeys/aci-pubkeys.gpg
    57  Prefix: "coreos.com/etcd"
    58  Key: "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg"
    59  GPG key fingerprint is: 8B86 DE38 890D DB72 9186  7B02 5210 BD88 8818 2190
    60    CoreOS ACI Builder <release@coreos.com>
    61  Are you sure you want to trust this key (yes/no)? yes
    62  Trusting "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg" for prefix "coreos.com/etcd".
    63  Added key for prefix "coreos.com/etcd" at "/etc/rkt/trustedkeys/prefix.d/coreos.com/etcd/8b86de38890ddb7291867b025210bd8888182190"
    64  ```
    65  
    66  ## Pre-Populating Trusted Keys on Disk
    67  
    68  Trusted public keys can be pre-populated by placing them in the appropriate location on disk for the desired prefix.
    69  
    70  ```
    71  $ ls -l /etc/rkt/trustedkeys/
    72  [insert example of root key vs prefixed key]
    73  ```