Skip to content

Instantly share code, notes, and snippets.

@dghubble

dghubble/aci-subkey-signing.md

Created February 18, 2016 19:34
Show Gist options
  • Save dghubble/4816472642ced7a78370 to your computer and use it in GitHub Desktop.
Save dghubble/4816472642ced7a78370 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
aci-subkey-signing.md

bootcfg ACI Experiment

Note: Real bootcfg release ACIs are uploaded to coreos/coreos-baremetal. This is just an experiment.

Build and Sign

Build the binary and ACI. Change the build-aci script to use app name aci.dghubble.io/bootcfg before running.

./build
./build-aci

Sign the ACI with the signing subkey 5D723EDD. The Yubikey Pin will be needed.

cp bootcfg.aci bootcfg-v0.2.1-linux-amd64.aci
gpg2 -a --default-key 5D723EDD --detach-sign bootcfg-v0.2.1-linux-amd64.aci

Verify the signature using plain old gpg2.

gpg2 --verify bootcfg-v0.2.1-linux-amd64.aci.asc bootcfg-v0.2.1-linux-amd64.aci

Sanity Check

Fails, rkt doesn't trust the public key...

sudo rkt run bootcfg-v0.2.1-linux-amd64.aci -- -version

Succeeds, only because we ignore verification...

sudo rkt --insecure-options=image run bootcfg-v0.2.1-linux-amd64.aci -- -version

Local Trust

Export the public key corresponding to the signing subkey.

gpg2 -a --export 602065C8 > ~/public.asc

Add the public key to rkt's local trust public keystore. In this case, we don't scope the key to a prefix and instead use --root.

sudo rkt trust --root ~/public.asc

Rkt run can run the ACI if the detached signature file (.asc) is adjacent.

sudo rkt run bootcfg-v0.2.1-linux-amd64.aci -- -version

Now remove the trusted key to experiment with rkt fetch.

gpg2 --fingerprint 602065C8
rm /etc/rkt/trustedkeys/root.d/LOWERCASE_FINGERPRINT

Hosting Images

TODO: A real setup should use HTTPS. For this experiment, use --insecure-allow-http.

Add a DNS record to a domain's zone files (e.g. aci.dghubble.io). Point to a storage bucket you can add files to.

Upload an index.html:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="ac-discovery" content="aci.dghubble.io/bootcfg http://aci.dghubble.io/bootcfg-{version}-{os}-{arch}.{ext}">
    <meta name="ac-discovery-pubkeys" content="aci.dghubble.io/bootcfg http://aci.dghubble.io/dghubble.gpg">
  <head>
  <body>
  <p>ACIs</p>
  </body>
<html>

And upload the ACI and ACI detached signature at the "ac-discovery" endpoint (same bucket in this case).

Trust the hosted key, fetch the ACI, and run it.

sudo rkt trust --insecure-allow-http --prefix aci.dghubble.io/bootcfg
sudo rkt fetch --insecure-options=http aci.dghubble.io/bootcfg:v0.2.1
sudo rkt run aci.dghubble.io/bootcfg -version

Alternately, you can explicitly trust the key.

sudo rkt trust --insecure-allow-http --root http://aci.dghubble.io/dghubble.gpg
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment