Key commands

Apptainer has the ability to import, export and remove PGP keys following the OpenPGP standard via GnuPGP (GPG). These commands only modify the local keyring and are not related to the cloud keystore.

Global keyring

Apptainer has a global keyring which can be managed by administrators with the --global option. This global keyring is used by ECL and allows administrators to manage public keys used during ECL image verification.

Key import command

Apptainer allows you to import keys reading either from binary or armored key format and automatically detect if it is a private or public key and add it to the correspondent local keyring.

To give a quick view on how it works, we will first consider the case in which a user wants to import a secret (private) key to the local keyring.

First we will check what’s the status of the local keyring (which keys are stored by the moment before importing a new key).

$ apptainer key list --secret

Note

Remember that using --secret flag or -s flag will return the secret or private local keyring as output.

The output will look as it follows:

Private key listing (/home/joana/.apptainer/keys/pgp-secret):

0)  User:              Johnny Cash (none) <cash@example.com>
    Creation time:     2019-04-11 22:22:28 +0200 CEST
    Fingerprint:       47282BDC661F58FA4BEBEF47CA576CBD8EF1A2B4
    Length (in bits):  3072

1)  User:              John Green (none) <john@example.com>
    Creation time:     2019-04-11 13:08:45 +0200 CEST
    Fingerprint:       5720799FE7B048CF36FAB8445EE1E2BD7B6342C5
    Length (in bits):  1024

Note

Remember that running that same command but with sudo privilege, will give you a totally different list since it will be the correspondent keyring from user root

After this, you can simply import the key you need by adding the exact location to the file, let’s say you own a gpg key file named pinkie-pie.asc which is a secret GPG key you want to import. Then you will just need to run the following command to import your key:

$ apptainer key import $HOME/pinkie-pie.asc

Note

This location is considering your key was located on the $HOME directory. You can specify any location to the file.

Since you’re importing a private (secret) key, you will need to specify the passphrase related to it and then a new passphrase to be added on your local keyring.

Enter your old password :
Enter a new password for this key :
Retype your passphrase :
Key with fingerprint 8C10B902F438E4D504C3ACF689FCFFAED5F34A77 successfully added to the keyring

After this you can see if that key was correctly added to your local keystore by running apptainer key list -s command:

Private key listing (/home/joana/.apptainer/keys/pgp-secret):

1)  User:              Johnny Cash (none) <cash@example.com>
    Creation time:     2019-04-11 22:22:28 +0200 CEST
    Fingerprint:       47282BDC661F58FA4BEBEF47CA576CBD8EF1A2B4
    Length (in bits):  3072

2)  User:              John Green (none) <john@example.com>
    Creation time:     2019-04-11 13:08:45 +0200 CEST
    Fingerprint:       5720799FE7B048CF36FAB8445EE1E2BD7B6342C5
    Length (in bits):  1024

3)  User:              Pinkie Pie (Eternal chaos comes with chocolate rain!) <balloons@example.com>
    Creation time:     2019-04-26 12:07:07 +0200 CEST
    Fingerprint:       8C10B902F438E4D504C3ACF689FCFFAED5F34A77
    Length (in bits):  1024

You will see the imported key at the bottom of the list. Remember you can also import an ascii armored key and this will be automatically detected by the key import command (no need to specify the format).

Note

In case you would like to import a public key the process remains the same, as the import command will automatically detect whether this key to be imported is either public or private.

Key export command

The key export command allows you to export a key that is on your local keyring. This key could be either private or public, and the key can be exported on ASCII armored format or on binary format. Of course to identify the keyring and the format the syntax varies from the key import command.

For example to export a public key in binary format you can run:

$ apptainer key export 8C10B902F438E4D504C3ACF689FCFFAED5F34A77 $HOME/mykey.asc

This will export a public binary key named mykey.asc and will save it under the home folder. If you would like to export the same public key but in an ASCII armored format, you would need to run the following command:

$ apptainer key export --armor 8C10B902F438E4D504C3ACF689FCFFAED5F34A77 $HOME/mykey.asc

And in the case in which you may need to export a secret key on ASCII armored format, you would need to specify from where to find the key, since the fingerprint is the same.

$ apptainer key export --armor --secret 8C10B902F438E4D504C3ACF689FCFFAED5F34A77 $HOME/mykey.asc

and on binary format instead:

$ apptainer key export --secret 8C10B902F438E4D504C3ACF689FCFFAED5F34A77 $HOME/mykey.asc

Note

Exporting keys will not change the status of your local keyring. This will just obtain the content of the keys and save it on a local file on your host.

Key remove command

In case you would want to remove a public key from your public local keystore, you can do so by running the following command:

$ apptainer key remove 8C10B902F438E4D504C3ACF689FCFFAED5F34A77

Note

Remember that this will only delete the public key and not the private one with the same matching fingerprint.