cc @gtank @brianredbeard @pbx0

With this setup, trusting new keys replaces existing ones. Multiple keys can still be trusted, but they all need to be added in the same step. I don't know what the use case for multiple public keys being trusted for a given prefix is though, so if people think that's important I can add a flag to rkt trust to allow for adding keys for a prefix (as opposed to replacing keys for a prefix).

Thanks!

• Are the patches rebased on master? If so, rkt should be compiled in build-rkt-0.16.0 instead of build-rkt-0.15.0.
• When I delete the key manually with rm -f /etc/rkt/trustedkeys/prefix.d/coreos.com/etcd/8b86de38890ddb7291867b025210bd8888182190, I cannot trust the key again with rkt trust --prefix coreos.com/etcd if the directory /etc/rkt/trustedkeys/prefix.d/coreos.com/etcd/ exists, even empty. Is it the intended behavior? At least, the error message "keys already set for prefix" should be changed because there are no keys in the empty directory.
• Can users still disable a key by writing an empty file as explained in the Establishing trust documentation?
• If I trust manually the CoreOS key for all coreos.com images with rkt trust --prefix=coreos.com https://coreos.com/dist/pubkeys/aci-pubkeys.gpg and then exec etcd with rkt run coreos.com/etcd:v2.0.10, then it will ask me if I trust the key even though it is already trusted for the whole prefix coreos.com. Replying no would execute successfully the image anyway because the key is trusted in the "parent" prefix.
• In the scenario above, when running rkt as a systemd service, I get "error reading input: EOF" because there is no stdin. Is that ok?

$ sudo systemd-run build-rkt-0.16.0+git/bin/rkt run coreos.com/etcd:v2.0.10
Running as unit run-6147.service.
$ sudo journalctl -u  run-6147.service
...
rkt[6148]: rkt: remote fetching from URL "https://github.com/coreos/etcd/releases/download/v2.0.10/etcd-v2.0
rkt[6148]: prefix: "coreos.com/etcd"
rkt[6148]: key: "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg"
rkt[6148]: gpg key fingerprint is: 8B86 DE38 890D DB72 9186  7B02 5210 BD88 8818 2190
rkt[6148]: CoreOS ACI Builder <release@coreos.com>
rkt[6148]: Are you sure you want to trust this key (yes/no)?
rkt[6148]: rkt: error adding keys: error reviewing key: error reading input: EOF
rkt[6148]: rkt: downloading signature from https://github.com/coreos/etcd/releases/download/v2.0.10/etcd-v2.
rkt[6148]: Downloading signature:  0 B/819 B
rkt[6148]: Downloading signature:  819 B/819 B
rkt[6148]: Downloading ACI:  0 B/3.79 MB
rkt[6148]: Downloading ACI:  16.4 KB/3.79 MB
rkt[6148]: Downloading ACI:  1.76 MB/3.79 MB
rkt[6148]: Downloading ACI:  3.79 MB/3.79 MB
rkt[6148]: rkt: signature verified:
rkt[6148]: CoreOS ACI Builder <release@coreos.com>
rkt[6148]: [135212.464297] etcd[4]: 2016/01/26 11:23:36 etcd: no data-dir provided, using default data-dir .
rkt[6148]: [135212.465017] etcd[4]: 2016/01/26 11:23:36 etcd: listening for peers on http://localhost:2380

When using --replace-keys, it deletes recursively all the keys for the specified prefix. Should it say which keys it is going to delete and ask confirmation?

For example, if I had keys in several depths of prefixes:

/etc/rkt/trustedkeys/prefix.d/coreos.com/8b86de38890ddb7291867b025210bd8888182190
/etc/rkt/trustedkeys/prefix.d/coreos.com/etcd/8b86de38890ddb7291867b025210bd8888182190
/etc/rkt/trustedkeys/prefix.d/coreos.com/etcd/foo/8b86de38890ddb7291867b025210bd8888182190

rkt trust --prefix=coreos.com https://coreos.com/dist/pubkeys/aci-pubkeys.gpg --replace-keys will delete them all.

Fixes #1880

Is this making rkt run interactive? How does this affect the use of "rkt run" in a systemd unit?

Nevermind, @alban already pointed that out.

• tests
• changelog
• updated documentation in Signing and Verification Guide
• updated documentation in rkt trust subcommand
• non-interactive executions (systemd service)
• disabling installed keys with empty file
• multi-level prefixes

I didn't consider making rkt run interactive, so instead of asking to trust a key to under rkt run on first go, the error message should probably always point to using rkt trust instead.

I wonder if we even want to be checking for existing matching keys at all at this point. We can't use it to trigger an interactive question for rkt run. Also, since --trust-keys-from-https no longer defaults true, then i'm not sure its necessary to error on new keys and introduce the TOFU model when a flag has already been set to bypass the need to rkt trust in the first place. However, checking if existing keys match a name would be useful be useful in providing more detailed errors messages. Any thoughts?

Also, I agree that rkt trust doesn't need to delete old keys. I don't see as reason to destroy old keys when rkt trusting new keys. I mean it might be useful to do an all at once key rotation, but, it seems like its behavior could be surprising. Probably better left as future work under some sort of rkt revoke UX. (briefly mentioned in this issue).

I have no clue why my rkt is building in build-rkt-0.15.0 instead of build-rkt-0.16.0, but the resulting binary is claiming to be version 0.16.0+gitfe93264.

Users should still be able to use empty files to disable keys installed in /usr.

Just added a commit (I'll squash them at the end). Notable changes:

• Removed --replace-keys, and rkt will now never delete keys. rkt trust will add keys, as before.
• rkt will only prompt the user for key review when running in a tty
• rkt will now consider empty files/directories and parent prefixes when determining if keys exist for a given prefix

A log of the tty change:

[nix-shell:~/go/src/github.com/coreos/rkt]$ sudo systemd-run ./build-rkt-0.15.0/bin/rkt run aci.gonyeo.com/nginx
Running as unit run-r8074cdc933274eaf912290964bbbbd9e.service.

[nix-shell:~/go/src/github.com/coreos/rkt]$ sudo journalctl -u run-r8074cdc933274eaf912290964bbbbd9e.service
-- Logs begin at Sat 2015-11-21 20:21:51 EST, end at Wed 2016-01-27 15:08:44 EST. --
Jan 27 15:08:36 rokot systemd[1]: Started /home/derek/go/src/github.com/coreos/rkt/./build-rkt-0.15.0/bin/rkt run aci.gonyeo.com/nginx.
Jan 27 15:08:36 rokot rkt[752]: rkt: using image from local store for image name coreos.com/rkt/stage1-coreos:0.16.0+gitfe93264
Jan 27 15:08:36 rokot rkt[752]: rkt: searching for app image aci.gonyeo.com/nginx
Jan 27 15:08:37 rokot rkt[752]: rkt: remote fetching from URL "https://aci.gonyeo.com/nginx-latest-linux-amd64.aci"
Jan 27 15:08:38 rokot rkt[752]: prefix: "aci.gonyeo.com/nginx"
Jan 27 15:08:38 rokot rkt[752]: key: "https://aci.gonyeo.com/pubkeys.gpg"
Jan 27 15:08:38 rokot rkt[752]: gpg key fingerprint is: 391A 2660 3B7D 1A7B 969B  DB93 8D6A 284F 420B 2594
Jan 27 15:08:38 rokot rkt[752]: subkey fingerprint: 818A 735C A7D6 60F5 F113  8ED8 29A7 820C 14D5 7505
Jan 27 15:08:38 rokot rkt[752]: Derek Gonyeo (ACI signing key) <derek@gonyeo.com>
Jan 27 15:08:38 rokot rkt[752]: To trust the key for "aci.gonyeo.com/nginx", do one of the following:
Jan 27 15:08:38 rokot rkt[752]: - call rkt with --trust-keys-from-https
Jan 27 15:08:38 rokot rkt[752]: - run: rkt trust --prefix "aci.gonyeo.com/nginx"
Jan 27 15:08:38 rokot rkt[752]: rkt: error adding keys: error reviewing key: unable to ask user to review fingerprint due to lack of tty
Jan 27 15:08:38 rokot rkt[752]: rkt: downloading signature from https://aci.gonyeo.com/nginx-latest-linux-amd64.aci.asc
Jan 27 15:08:38 rokot rkt[752]: Downloading signature: 0 B of an unknown total size
Jan 27 15:08:38 rokot rkt[752]: Downloading signature: 473 B of an unknown total size
Jan 27 15:08:38 rokot rkt[752]: Downloading signature: 473 B of an unknown total size
Jan 27 15:08:38 rokot rkt[752]: rkt: If you expected the signing key to change, try running:
Jan 27 15:08:38 rokot rkt[752]: rkt:     rkt trust --prefix "aci.gonyeo.com/nginx"
Jan 27 15:08:38 rokot rkt[752]: run: openpgp: signature made by unknown entity
Jan 27 15:08:38 rokot systemd[1]: run-r8074cdc933274eaf912290964bbbbd9e.service: Main process exited, code=exited, status=1/FAILURE
Jan 27 15:08:38 rokot systemd[1]: run-r8074cdc933274eaf912290964bbbbd9e.service: Unit entered failed state.
Jan 27 15:08:38 rokot systemd[1]: run-r8074cdc933274eaf912290964bbbbd9e.service: Failed with result 'exit-code'.

Thoughts?

I have no clue why my rkt is building in build-rkt-0.15.0 instead of build-rkt-0.16.0, but the resulting binary is claiming to be version 0.16.0+gitfe93264.

Strange... does running ./autogen.sh and ./configure again fix this?

Made the suggested fixes, rebased on master, squashed commits. Should be ready for another pass.

Strange... does running ./autogen.sh and ./configure again fix this?

Even stranger: they don't appear to fix this. I even cloned master to a different directory, and did ./autogen.sh && ./configure && make, and it's still dropping the files in the wrong directory.

I have no idea what's wrong in the build-system. Maybe you have the BUILDDIR env variable defined? What does the line in makelib/variables.mk with BUILDDIR ?= say?

Oh wait, it looks like nix-shell is setting the BUILDDIR environment variable. I'm having it give me an environment based on the rkt 0.15.0 package, so that's where that's coming from. Mystery solved.

@dgonyeo: #1758 (comment)

It would be nice if the commit message explained the current behavior a bit better. Including the examples in the PR.

This LGTM (modulo some nits) but I'd like another pair of eyes on it.

@iaguis updated the commit message and the PR. Thoughts on the new description / examples?

I'll be spending some time today updating the docs and investigating what tests I could write for this, but I won't be able to work too many hours today due to homework, and tomorrow's a full day of classes. If we want to rush to get this in, help finishing this up would be appreciated.

Thanks! Setting the "needs rework" label for the TODO in #2033 (comment) but this new version of the code looks good to me.

I am slightly improving the rkt trust tests in #2069 but they should be improved further later in #2070.

The code looks good to me, so I am merging it now.