rkt trust

Before executing a remotely fetched ACI, rkt will verify it based on attached signatures generated by the ACI creator.

Before this can happen, rkt needs to know which creators you trust, and therefore are trusted to run images on your machine. The identity of each ACI creator is established with a public key, which is placed in rkt's key store on disk.

When adding a trusted key, a prefix can scope the level of established trust to a subset of images. A few examples:

# rkt trust --prefix=storage.coreos.com
# rkt trust --prefix=coreos.com/etcd

To trust a key for an entire root domain, you must use the --root flag, with a path to a local key file (no discovery).

# rkt trust --root ~/aci-pubkeys.gpg

Trust a Key Using Meta Discovery

The easiest way to trust a key is through meta discovery. rkt will find and download a public key that the creator has published on their website. This process is detailed in the [Application Container specification][appc-discovery]. The TL;DR is rkt will find a meta tag that looks like:

<meta name="ac-discovery-pubkeys" content="coreos.com/etcd https://coreos.com/dist/pubkeys/aci-pubkeys.gpg">

And use it to download the public key and present it to you for approval:

# rkt trust --prefix=coreos.com/etcd
Prefix: "coreos.com/etcd"
Key: "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg"
GPG key fingerprint is: 8B86 DE38 890D DB72 9186  7B02 5210 BD88 8818 2190
  CoreOS ACI Builder <release@coreos.com>
Are you sure you want to trust this key (yes/no)? yes
Trusting "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg" for prefix "coreos.com/etcd".
Added key for prefix "coreos.com/etcd" at "/etc/rkt/trustedkeys/prefix.d/coreos.com/etcd/8b86de38890ddb7291867b025210bd8888182190"

If rkt can't find a key using meta discovery, an error will be printed:

# rkt trust --prefix=coreos.com
Error determining key location: --prefix meta discovery error: found no ACI meta tags

Trust a Key From Specific Location

If you know where a public key is located, you can request it directly from disk or via HTTPS:

# rkt trust --prefix=coreos.com/etcd https://coreos.com/dist/pubkeys/aci-pubkeys.gpg
Prefix: "coreos.com/etcd"
Key: "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg"
GPG key fingerprint is: 8B86 DE38 890D DB72 9186  7B02 5210 BD88 8818 2190
  CoreOS ACI Builder <release@coreos.com>
Are you sure you want to trust this key (yes/no)? yes
Trusting "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg" for prefix "coreos.com/etcd".
Added key for prefix "coreos.com/etcd" at "/etc/rkt/trustedkeys/prefix.d/coreos.com/etcd/8b86de38890ddb7291867b025210bd8888182190"

Pre-Populating Trusted Keys on Disk

Trusted public keys can be pre-populated by placing them in the appropriate location on disk for the desired prefix.

$ find /etc/rkt/trustedkeys/
/etc/rkt/trustedkeys/
/etc/rkt/trustedkeys/prefix.d
/etc/rkt/trustedkeys/prefix.d/coreos.com
/etc/rkt/trustedkeys/prefix.d/coreos.com/etcd
/etc/rkt/trustedkeys/prefix.d/coreos.com/etcd/8b86de38890ddb7291867b025210bd8888182190
/etc/rkt/trustedkeys/root.d
/etc/rkt/trustedkeys/root.d/d8685c1eff3b2276e5da37fd65eea12767432ac4