From f0a7d6bda9090b2591e131d101164bc0995e32f9 Mon Sep 17 00:00:00 2001 From: Indradhanush Gupta Date: Sat, 23 Sep 2017 18:24:29 +0530 Subject: [PATCH 1/9] trust: add flag --overwrite-trusted Fixes #3756 --- rkt/image/namefetcher.go | 2 +- rkt/pubkey/pubkey.go | 14 +++++++++++++- rkt/trust.go | 6 ++++-- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/rkt/image/namefetcher.go b/rkt/image/namefetcher.go index 023874adca..099668700b 100644 --- a/rkt/image/namefetcher.go +++ b/rkt/image/namefetcher.go @@ -261,7 +261,7 @@ func (f *nameFetcher) maybeFetchPubKeys(appName string) { if f.TrustKeysFromHTTPS { accept = pubkey.AcceptForce } - err := m.AddKeys(pkls, appName, accept) + err := m.AddKeys(pkls, appName, accept, true) if err != nil { log.PrintE("error adding keys", err) } diff --git a/rkt/pubkey/pubkey.go b/rkt/pubkey/pubkey.go index dc66409545..30544f021c 100644 --- a/rkt/pubkey/pubkey.go +++ b/rkt/pubkey/pubkey.go @@ -88,7 +88,7 @@ func (m *Manager) GetPubKeyLocations(prefix string) ([]string, error) { } // AddKeys adds the keys listed in pkls at prefix -func (m *Manager) AddKeys(pkls []string, prefix string, accept AcceptOption) error { +func (m *Manager) AddKeys(pkls []string, prefix string, accept AcceptOption, overwriteTrusted bool) error { ensureLogger(m.Debug) if m.Ks == nil { return fmt.Errorf("no keystore available to add keys to") @@ -110,6 +110,18 @@ func (m *Manager) AddKeys(pkls []string, prefix string, accept AcceptOption) err return errwrap.Wrap(fmt.Errorf("error displaying the key %s", pkl), err) } + if overwriteTrusted == false { + trusted, err := m.Ks.TrustedKeyPrefixExists(prefix) + if err != nil { + return errwrap.Wrap(fmt.Errorf("error in determining if key %s is trusted", pkl), err) + } + + if trusted == true { + log.Printf("Already trusted %q for prefix %q.", pkl, prefix) + continue + } + } + if m.TrustKeysFromHTTPS && u.Scheme == "https" { accept = AcceptForce } diff --git a/rkt/trust.go b/rkt/trust.go index 67cf4ed0a6..51d0d2e083 100644 --- a/rkt/trust.go +++ b/rkt/trust.go @@ -28,7 +28,7 @@ import ( var ( cmdTrust = &cobra.Command{ - Use: "trust [--prefix=PREFIX] [--insecure-allow-http] [--skip-fingerprint-review] [--root] [PUBKEY ...]", + Use: "trust [--prefix=PREFIX] [--insecure-allow-http] [--skip-fingerprint-review] [--root] [PUBKEY ...] [--overwrite-trusted]", Short: "Trust a key for image verification", Long: `Adds keys to the local keystore for use in verifying signed images. @@ -46,6 +46,7 @@ specified. Path to a key file must be given (no discovery).`, flagRoot bool flagAllowHTTP bool flagSkipFingerprintReview bool + flagOverwriteTrusted bool ) func init() { @@ -54,6 +55,7 @@ func init() { cmdTrust.Flags().BoolVar(&flagRoot, "root", false, "add root key from filesystem without a prefix") cmdTrust.Flags().BoolVar(&flagSkipFingerprintReview, "skip-fingerprint-review", false, "accept key without fingerprint confirmation") cmdTrust.Flags().BoolVar(&flagAllowHTTP, "insecure-allow-http", false, "allow HTTP use for key discovery and/or retrieval") + cmdTrust.Flags().BoolVar(&flagOverwriteTrusted, "overwrite-trusted", true, "overwrite previously downloaded and trusted pubkeys") } func runTrust(cmd *cobra.Command, args []string) (exit int) { @@ -110,7 +112,7 @@ Otherwise, trust at the root domain (not recommended) must be explicitly request acceptOpt = pubkey.AcceptForce } - if err := m.AddKeys(pkls, flagPrefix, acceptOpt); err != nil { + if err := m.AddKeys(pkls, flagPrefix, acceptOpt, flagOverwriteTrusted); err != nil { stderr.PrintE("error adding keys", err) return 254 } From af65cbea43e445b23c9d0563e7e0eec13c5de4f9 Mon Sep 17 00:00:00 2001 From: Indradhanush Gupta Date: Tue, 26 Sep 2017 11:17:18 +0530 Subject: [PATCH 2/9] trust: rename --overwrite-trusted to --skip-trusted --skip-trusted is more concise and also similar to other flags that have alredy been implemented. The default for this is `false` ensuring that existing this does not break existing users' configurations. --- rkt/pubkey/pubkey.go | 4 ++-- rkt/trust.go | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rkt/pubkey/pubkey.go b/rkt/pubkey/pubkey.go index 30544f021c..42d7a1475e 100644 --- a/rkt/pubkey/pubkey.go +++ b/rkt/pubkey/pubkey.go @@ -88,7 +88,7 @@ func (m *Manager) GetPubKeyLocations(prefix string) ([]string, error) { } // AddKeys adds the keys listed in pkls at prefix -func (m *Manager) AddKeys(pkls []string, prefix string, accept AcceptOption, overwriteTrusted bool) error { +func (m *Manager) AddKeys(pkls []string, prefix string, accept AcceptOption, skipTrusted bool) error { ensureLogger(m.Debug) if m.Ks == nil { return fmt.Errorf("no keystore available to add keys to") @@ -110,7 +110,7 @@ func (m *Manager) AddKeys(pkls []string, prefix string, accept AcceptOption, ove return errwrap.Wrap(fmt.Errorf("error displaying the key %s", pkl), err) } - if overwriteTrusted == false { + if skipTrusted { trusted, err := m.Ks.TrustedKeyPrefixExists(prefix) if err != nil { return errwrap.Wrap(fmt.Errorf("error in determining if key %s is trusted", pkl), err) diff --git a/rkt/trust.go b/rkt/trust.go index 51d0d2e083..709f2ad72d 100644 --- a/rkt/trust.go +++ b/rkt/trust.go @@ -28,7 +28,7 @@ import ( var ( cmdTrust = &cobra.Command{ - Use: "trust [--prefix=PREFIX] [--insecure-allow-http] [--skip-fingerprint-review] [--root] [PUBKEY ...] [--overwrite-trusted]", + Use: "trust [--prefix=PREFIX] [--insecure-allow-http] [--skip-fingerprint-review] [--skip-trusted] [--root] [PUBKEY ...]", Short: "Trust a key for image verification", Long: `Adds keys to the local keystore for use in verifying signed images. @@ -46,7 +46,7 @@ specified. Path to a key file must be given (no discovery).`, flagRoot bool flagAllowHTTP bool flagSkipFingerprintReview bool - flagOverwriteTrusted bool + flagSkipTrusted bool ) func init() { @@ -55,7 +55,7 @@ func init() { cmdTrust.Flags().BoolVar(&flagRoot, "root", false, "add root key from filesystem without a prefix") cmdTrust.Flags().BoolVar(&flagSkipFingerprintReview, "skip-fingerprint-review", false, "accept key without fingerprint confirmation") cmdTrust.Flags().BoolVar(&flagAllowHTTP, "insecure-allow-http", false, "allow HTTP use for key discovery and/or retrieval") - cmdTrust.Flags().BoolVar(&flagOverwriteTrusted, "overwrite-trusted", true, "overwrite previously downloaded and trusted pubkeys") + cmdTrust.Flags().BoolVar(&flagSkipTrusted, "skip-trusted", false, "skip previously downloaded and trusted pubkeys") } func runTrust(cmd *cobra.Command, args []string) (exit int) { @@ -112,7 +112,7 @@ Otherwise, trust at the root domain (not recommended) must be explicitly request acceptOpt = pubkey.AcceptForce } - if err := m.AddKeys(pkls, flagPrefix, acceptOpt, flagOverwriteTrusted); err != nil { + if err := m.AddKeys(pkls, flagPrefix, acceptOpt, flagSkipTrusted); err != nil { stderr.PrintE("error adding keys", err) return 254 } From 4e0e2def8d94eb5208b723db73b3eccc83d45e85 Mon Sep 17 00:00:00 2001 From: Indradhanush Gupta Date: Tue, 26 Sep 2017 11:19:31 +0530 Subject: [PATCH 3/9] pubkey: add newline to log statement for already trusted key --- rkt/pubkey/pubkey.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rkt/pubkey/pubkey.go b/rkt/pubkey/pubkey.go index 42d7a1475e..f946ada4e1 100644 --- a/rkt/pubkey/pubkey.go +++ b/rkt/pubkey/pubkey.go @@ -117,7 +117,7 @@ func (m *Manager) AddKeys(pkls []string, prefix string, accept AcceptOption, ski } if trusted == true { - log.Printf("Already trusted %q for prefix %q.", pkl, prefix) + log.Printf("Already trusted %q for prefix %q.\n", pkl, prefix) continue } } From f362631ea6c4e02eff4d6d71f4fb8f62a9419175 Mon Sep 17 00:00:00 2001 From: Indradhanush Gupta Date: Wed, 27 Sep 2017 10:00:58 +0530 Subject: [PATCH 4/9] pubkey: idiomatic go --- rkt/pubkey/pubkey.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rkt/pubkey/pubkey.go b/rkt/pubkey/pubkey.go index f946ada4e1..e092fd635b 100644 --- a/rkt/pubkey/pubkey.go +++ b/rkt/pubkey/pubkey.go @@ -116,7 +116,7 @@ func (m *Manager) AddKeys(pkls []string, prefix string, accept AcceptOption, ski return errwrap.Wrap(fmt.Errorf("error in determining if key %s is trusted", pkl), err) } - if trusted == true { + if trusted { log.Printf("Already trusted %q for prefix %q.\n", pkl, prefix) continue } From a571ea01c6071823d4761e338eb21506755d5489 Mon Sep 17 00:00:00 2001 From: Indradhanush Gupta Date: Wed, 27 Sep 2017 10:04:42 +0530 Subject: [PATCH 5/9] trust: add tests for --skip-trusted flag The test for --skip-trusted=true without a trusted key already being present is failing at the moment. Saving progress to get feedback. --- tests/rkt_tests.go | 53 +++++++++++++++++++++++++++++++++++++++++ tests/rkt_trust_test.go | 12 ++++++++++ 2 files changed, 65 insertions(+) diff --git a/tests/rkt_tests.go b/tests/rkt_tests.go index 172236dd53..a27c833424 100644 --- a/tests/rkt_tests.go +++ b/tests/rkt_tests.go @@ -894,6 +894,59 @@ func runRktTrust(t *testing.T, ctx *testutils.RktRunCtx, prefix string, keyIndex } } +func assertTrustPrompt(t *testing.T, prefix string, child *gexpect.ExpectSubprocess) { + + expected := "Are you sure you want to trust this key" + if err := expectWithOutput(child, expected); err != nil { + t.Fatalf("Expected but didn't find %q in %v", expected, err) + } + + if err := child.SendLine("yes"); err != nil { + t.Fatalf("Cannot confirm rkt trust: %s", err) + } + + expected = fmt.Sprintf(`Added key for prefix "%s" at`, prefix) + if err := expectWithOutput(child, expected); err != nil { + t.Fatalf("Expected but didn't find %q in %v", expected, err) + } +} + +func runRktTrustSkipTrustedTrue(t *testing.T, ctx *testutils.RktRunCtx, prefix string, keyIndex int, alreadyTrusted bool) { + if !alreadyTrusted { + runRktTrust(t, ctx, prefix, keyIndex) + } + + keyFile := fmt.Sprintf("key%d.gpg", keyIndex) + cmd := fmt.Sprintf(`%s trust --prefix %s --skip-trusted %s`, ctx.Cmd(), prefix, keyFile) + + child := spawnOrFail(t, cmd) + defer waitOrFail(t, child, 0) + + if alreadyTrusted { + expected := "Already trusted" + if err := expectWithOutput(child, expected); err != nil { + t.Fatalf("Expected but didn't find %q in %v", expected, err) + } + } else { + assertTrustPrompt(t, prefix, child) + } +} + +func runRktTrustSkipTrustedFalse(t *testing.T, ctx *testutils.RktRunCtx, prefix string, keyIndex int, alreadyTrusted bool) { + if !alreadyTrusted { + runRktTrust(t, ctx, prefix, keyIndex) + } + + keyFile := fmt.Sprintf("key%d.gpg", keyIndex) + + cmd := fmt.Sprintf(`%s trust --prefix %s --skip-trusted=false %s`, ctx.Cmd(), prefix, keyFile) + + child := spawnOrFail(t, cmd) + defer waitOrFail(t, child, 0) + + assertTrustPrompt(t, prefix, child) +} + func generatePodManifestFile(t *testing.T, manifest *schema.PodManifest) string { tmpDir := testutils.GetValueFromEnvOrPanic("FUNCTIONAL_TMP") f, err := ioutil.TempFile(tmpDir, "rkt-test-manifest-") diff --git a/tests/rkt_trust_test.go b/tests/rkt_trust_test.go index 0c1963e8d1..25ca8564e4 100644 --- a/tests/rkt_trust_test.go +++ b/tests/rkt_trust_test.go @@ -84,4 +84,16 @@ func TestTrust(t *testing.T) { t.Logf("Now both images can be executed\n") runImage(t, ctx, imageFile, "Hello", false) runImage(t, ctx, imageFile2, "Hello", false) + t.Logf("Skip trusted key (rkt trust --skip-trusted) with trusted key absent\n") + runRktTrustSkipTrustedTrue(t, ctx, "rkt-prefix.com/my-app", 1, false) + + t.Logf("Skip trusted key (rkt trust --skip-trusted) with trusted key present\n") + runRktTrustSkipTrustedTrue(t, ctx, "rkt-prefix.com/my-app", 1, true) + + t.Logf("Don't skip trusted key (rkt trust --skip-trusted=false) with trusted key present\n") + runRktTrustSkipTrustedFalse(t, ctx, "rkt-prefix.com/my-app", 1, true) + + t.Logf("Don't skip trusted key (rkt trust --skip-trusted=false) with trusted key absent\n") + runRktTrustSkipTrustedFalse(t, ctx, "rkt-prefix.com/my-app", 1, false) + } From 8ca5a54b69698c2aa5305f6a7584a1c44f76990a Mon Sep 17 00:00:00 2001 From: Indradhanush Gupta Date: Thu, 28 Sep 2017 14:28:06 +0530 Subject: [PATCH 6/9] trust: fix tests for --skip-trusted Use a new image file with a unique prefix to ensure that the key being tested is not trusted ahead of time. Also the test for `rkt trust --root` should be the last test. --- tests/rkt_tests.go | 22 ++++++++++------------ tests/rkt_trust_test.go | 28 ++++++++++++++++++---------- 2 files changed, 28 insertions(+), 22 deletions(-) diff --git a/tests/rkt_tests.go b/tests/rkt_tests.go index a27c833424..2c8d5c14c3 100644 --- a/tests/rkt_tests.go +++ b/tests/rkt_tests.go @@ -912,33 +912,31 @@ func assertTrustPrompt(t *testing.T, prefix string, child *gexpect.ExpectSubproc } func runRktTrustSkipTrustedTrue(t *testing.T, ctx *testutils.RktRunCtx, prefix string, keyIndex int, alreadyTrusted bool) { - if !alreadyTrusted { - runRktTrust(t, ctx, prefix, keyIndex) - } - keyFile := fmt.Sprintf("key%d.gpg", keyIndex) cmd := fmt.Sprintf(`%s trust --prefix %s --skip-trusted %s`, ctx.Cmd(), prefix, keyFile) child := spawnOrFail(t, cmd) defer waitOrFail(t, child, 0) - if alreadyTrusted { - expected := "Already trusted" - if err := expectWithOutput(child, expected); err != nil { - t.Fatalf("Expected but didn't find %q in %v", expected, err) - } - } else { + if !alreadyTrusted { assertTrustPrompt(t, prefix, child) + return + } + + expected := "Already trusted" + if err := expectWithOutput(child, expected); err != nil { + t.Fatalf("Expected but didn't find %q in %v", expected, err) } } func runRktTrustSkipTrustedFalse(t *testing.T, ctx *testutils.RktRunCtx, prefix string, keyIndex int, alreadyTrusted bool) { - if !alreadyTrusted { + if alreadyTrusted { + // Trust the key ahead of time to ensure that + //--skip-trusted=false overwrites the trusted key. runRktTrust(t, ctx, prefix, keyIndex) } keyFile := fmt.Sprintf("key%d.gpg", keyIndex) - cmd := fmt.Sprintf(`%s trust --prefix %s --skip-trusted=false %s`, ctx.Cmd(), prefix, keyFile) child := spawnOrFail(t, cmd) diff --git a/tests/rkt_trust_test.go b/tests/rkt_trust_test.go index 25ca8564e4..4e61bd3a58 100644 --- a/tests/rkt_trust_test.go +++ b/tests/rkt_trust_test.go @@ -36,6 +36,9 @@ func TestTrust(t *testing.T) { imageFile2 := patchTestACI("rkt-inspect-trust2.aci", "--exec=/inspect --print-msg=Hello", "--name=rkt-alternative.com/my-app") defer os.Remove(imageFile2) + imageFile3 := patchTestACI("rkt-inspect-trust3.aci", "--exec=/inspect --print-msg=Hello", "--name=rkt-skip-trusted.com/my-app") + defer os.Remove(imageFile3) + ctx := testutils.NewRktRunCtx() defer ctx.Cleanup() @@ -47,6 +50,8 @@ func TestTrust(t *testing.T) { defer os.Remove(ascFile) ascFile = runSignImage(t, imageFile2, 1) defer os.Remove(ascFile) + ascFile = runSignImage(t, imageFile3, 1) + defer os.Remove(ascFile) t.Logf("Run the signed image without trusting the key: it should fail\n") runImage(t, ctx, imageFile, "openpgp: signature made by unknown entity", true) @@ -78,22 +83,25 @@ func TestTrust(t *testing.T) { runImage(t, ctx, imageFile, "Hello", false) runImage(t, ctx, imageFile2, "openpgp: signature made by unknown entity", true) - t.Logf("Trust the key for all images (rkt trust --root)\n") - runRktTrust(t, ctx, "", 1) - - t.Logf("Now both images can be executed\n") - runImage(t, ctx, imageFile, "Hello", false) - runImage(t, ctx, imageFile2, "Hello", false) t.Logf("Skip trusted key (rkt trust --skip-trusted) with trusted key absent\n") - runRktTrustSkipTrustedTrue(t, ctx, "rkt-prefix.com/my-app", 1, false) + runRktTrustSkipTrustedTrue(t, ctx, "rkt-skip-trusted.com/my-app", 1, false) t.Logf("Skip trusted key (rkt trust --skip-trusted) with trusted key present\n") - runRktTrustSkipTrustedTrue(t, ctx, "rkt-prefix.com/my-app", 1, true) + runRktTrustSkipTrustedTrue(t, ctx, "rkt-skip-trusted.com/my-app", 1, true) t.Logf("Don't skip trusted key (rkt trust --skip-trusted=false) with trusted key present\n") - runRktTrustSkipTrustedFalse(t, ctx, "rkt-prefix.com/my-app", 1, true) + runRktTrustSkipTrustedFalse(t, ctx, "rkt-skip-trusted.com/my-app", 1, true) t.Logf("Don't skip trusted key (rkt trust --skip-trusted=false) with trusted key absent\n") - runRktTrustSkipTrustedFalse(t, ctx, "rkt-prefix.com/my-app", 1, false) + runRktTrustSkipTrustedFalse(t, ctx, "rkt-skip-trusted.com/my-app", 1, false) + t.Logf("Now the image can be executed\n") + runImage(t, ctx, imageFile3, "Hello", false) + + t.Logf("Trust the key for all images (rkt trust --root)\n") + runRktTrust(t, ctx, "", 1) + + t.Logf("Now both images can be executed\n") + runImage(t, ctx, imageFile, "Hello", false) + runImage(t, ctx, imageFile2, "Hello", false) } From a569a3a846eb6806f420587f32f909a11a7d3510 Mon Sep 17 00:00:00 2001 From: Indradhanush Gupta Date: Thu, 28 Sep 2017 14:46:06 +0530 Subject: [PATCH 7/9] trust: add documentation for --skip-trusted --- Documentation/subcommands/trust.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Documentation/subcommands/trust.md b/Documentation/subcommands/trust.md index 384300b137..f68df2a4ac 100644 --- a/Documentation/subcommands/trust.md +++ b/Documentation/subcommands/trust.md @@ -91,6 +91,7 @@ $ find /etc/rkt/trustedkeys/ | `--prefix` | `` | A URL prefix | Prefix to limit trust to | | `--root` | `false` | `true` or `false` | Add root key from filesystem without a prefix | | `--skip-fingerprint-review` | `false` | `true` or `false` | Accept key without fingerprint confirmation | +| `--skip-trusted` | `true` | `true` or `false` | Skip previously downloaded and trusted pubkeys | ## Global options From 0c217e12e62c0cf7f20cdd175e44d0e09c211ff2 Mon Sep 17 00:00:00 2001 From: Indradhanush Gupta Date: Thu, 28 Sep 2017 15:34:18 +0530 Subject: [PATCH 8/9] trust: minor spacing fixes --- tests/rkt_tests.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/rkt_tests.go b/tests/rkt_tests.go index 2c8d5c14c3..e6994ae513 100644 --- a/tests/rkt_tests.go +++ b/tests/rkt_tests.go @@ -895,7 +895,6 @@ func runRktTrust(t *testing.T, ctx *testutils.RktRunCtx, prefix string, keyIndex } func assertTrustPrompt(t *testing.T, prefix string, child *gexpect.ExpectSubprocess) { - expected := "Are you sure you want to trust this key" if err := expectWithOutput(child, expected); err != nil { t.Fatalf("Expected but didn't find %q in %v", expected, err) @@ -932,7 +931,7 @@ func runRktTrustSkipTrustedTrue(t *testing.T, ctx *testutils.RktRunCtx, prefix s func runRktTrustSkipTrustedFalse(t *testing.T, ctx *testutils.RktRunCtx, prefix string, keyIndex int, alreadyTrusted bool) { if alreadyTrusted { // Trust the key ahead of time to ensure that - //--skip-trusted=false overwrites the trusted key. + // --skip-trusted=false overwrites the trusted key. runRktTrust(t, ctx, prefix, keyIndex) } From 5405301577e761d0bc55a15ed82753277c302c3e Mon Sep 17 00:00:00 2001 From: Indradhanush Gupta Date: Thu, 28 Sep 2017 16:58:00 +0530 Subject: [PATCH 9/9] trust: test the image after each individual test for --skip-trusted For --skip-trusted=false with trusted key not present, we should use a separate image as well. --- tests/rkt_trust_test.go | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/tests/rkt_trust_test.go b/tests/rkt_trust_test.go index 4e61bd3a58..fd3e6ab3d4 100644 --- a/tests/rkt_trust_test.go +++ b/tests/rkt_trust_test.go @@ -39,6 +39,9 @@ func TestTrust(t *testing.T) { imageFile3 := patchTestACI("rkt-inspect-trust3.aci", "--exec=/inspect --print-msg=Hello", "--name=rkt-skip-trusted.com/my-app") defer os.Remove(imageFile3) + imageFile4 := patchTestACI("rkt-inspect-trust4.aci", "--exec=/inspect --print-msg=Hello", "--name=rkt-skip-trusted-alternative.com/my-app") + defer os.Remove(imageFile3) + ctx := testutils.NewRktRunCtx() defer ctx.Cleanup() @@ -52,6 +55,8 @@ func TestTrust(t *testing.T) { defer os.Remove(ascFile) ascFile = runSignImage(t, imageFile3, 1) defer os.Remove(ascFile) + ascFile = runSignImage(t, imageFile4, 1) + defer os.Remove(ascFile) t.Logf("Run the signed image without trusting the key: it should fail\n") runImage(t, ctx, imageFile, "openpgp: signature made by unknown entity", true) @@ -86,17 +91,26 @@ func TestTrust(t *testing.T) { t.Logf("Skip trusted key (rkt trust --skip-trusted) with trusted key absent\n") runRktTrustSkipTrustedTrue(t, ctx, "rkt-skip-trusted.com/my-app", 1, false) + t.Logf("Now the image can be executed\n") + runImage(t, ctx, imageFile3, "Hello", false) + t.Logf("Skip trusted key (rkt trust --skip-trusted) with trusted key present\n") runRktTrustSkipTrustedTrue(t, ctx, "rkt-skip-trusted.com/my-app", 1, true) + t.Logf("Now the image can be executed\n") + runImage(t, ctx, imageFile3, "Hello", false) + t.Logf("Don't skip trusted key (rkt trust --skip-trusted=false) with trusted key present\n") runRktTrustSkipTrustedFalse(t, ctx, "rkt-skip-trusted.com/my-app", 1, true) + t.Logf("Now the image can be executed\n") + runImage(t, ctx, imageFile3, "Hello", false) + t.Logf("Don't skip trusted key (rkt trust --skip-trusted=false) with trusted key absent\n") - runRktTrustSkipTrustedFalse(t, ctx, "rkt-skip-trusted.com/my-app", 1, false) + runRktTrustSkipTrustedFalse(t, ctx, "rkt-skip-trusted-alternative.com/my-app", 1, false) t.Logf("Now the image can be executed\n") - runImage(t, ctx, imageFile3, "Hello", false) + runImage(t, ctx, imageFile4, "Hello", false) t.Logf("Trust the key for all images (rkt trust --root)\n") runRktTrust(t, ctx, "", 1)