Key commands
Apptainer has the ability to import, export and remove PGP keys following the OpenPGP standard via GnuPGP (GPG). These commands only modify the local keyring and are not related to the cloud keystore.
Global keyring
Apptainer has a global keyring which can be managed by
administrators with the --global
option. This global keyring is
used by ECL
and allows administrators to manage public keys used during ECL image
verification.
Key import command
Apptainer allows you to import keys reading either from binary or armored key format and automatically detect if it is a private or public key and add it to the correspondent local keyring.
To give a quick view on how it works, we will first consider the case in which a user wants to import a secret (private) key to the local keyring.
First we will check what’s the status of the local keyring (which keys are stored by the moment before importing a new key).
$ apptainer key list --secret
Note
Remember that using --secret
flag or -s
flag will return the
secret or private local keyring as output.
The output will look as it follows:
Private key listing (/home/joana/.apptainer/keys/pgp-secret):
0) User: Johnny Cash (none) <cash@example.com>
Creation time: 2019-04-11 22:22:28 +0200 CEST
Fingerprint: 47282BDC661F58FA4BEBEF47CA576CBD8EF1A2B4
Length (in bits): 3072
1) User: John Green (none) <john@example.com>
Creation time: 2019-04-11 13:08:45 +0200 CEST
Fingerprint: 5720799FE7B048CF36FAB8445EE1E2BD7B6342C5
Length (in bits): 1024
Note
Remember that running that same command but with sudo privilege, will
give you a totally different list since it will be the correspondent
keyring from user root
After this, you can simply import the key you need by adding the exact
location to the file, let’s say you own a gpg key file named
pinkie-pie.asc
which is a secret GPG key you want to import. Then
you will just need to run the following command to import your key:
$ apptainer key import $HOME/pinkie-pie.asc
Note
This location is considering your key was located on the $HOME
directory. You can specify any location to the file.
Since you’re importing a private (secret) key, you will need to specify the passphrase related to it and then a new passphrase to be added on your local keyring.
Enter your old password :
Enter a new password for this key :
Retype your passphrase :
Key with fingerprint 8C10B902F438E4D504C3ACF689FCFFAED5F34A77 successfully added to the keyring
After this you can see if that key was correctly added to your local
keystore by running apptainer key list -s
command:
Private key listing (/home/joana/.apptainer/keys/pgp-secret):
1) User: Johnny Cash (none) <cash@example.com>
Creation time: 2019-04-11 22:22:28 +0200 CEST
Fingerprint: 47282BDC661F58FA4BEBEF47CA576CBD8EF1A2B4
Length (in bits): 3072
2) User: John Green (none) <john@example.com>
Creation time: 2019-04-11 13:08:45 +0200 CEST
Fingerprint: 5720799FE7B048CF36FAB8445EE1E2BD7B6342C5
Length (in bits): 1024
3) User: Pinkie Pie (Eternal chaos comes with chocolate rain!) <balloons@example.com>
Creation time: 2019-04-26 12:07:07 +0200 CEST
Fingerprint: 8C10B902F438E4D504C3ACF689FCFFAED5F34A77
Length (in bits): 1024
You will see the imported key at the bottom of the list. Remember you
can also import an ascii
armored key and this will be automatically
detected by the key import
command (no need to specify the format).
Note
In case you would like to import a public key the process remains the same, as the import command will automatically detect whether this key to be imported is either public or private.
Key export command
The key export command allows you to export a key that is on your local
keyring. This key could be either private or public, and the key can be
exported on ASCII
armored format or on binary format. Of course to
identify the keyring and the format the syntax varies from the key
import
command.
For example to export a public key in binary format you can run:
$ apptainer key export 8C10B902F438E4D504C3ACF689FCFFAED5F34A77 $HOME/mykey.asc
This will export a public binary key named mykey.asc
and will save
it under the home folder. If you would like to export the same public
key but in an ASCII
armored format, you would need to run the
following command:
$ apptainer key export --armor 8C10B902F438E4D504C3ACF689FCFFAED5F34A77 $HOME/mykey.asc
And in the case in which you may need to export a secret key on
ASCII
armored format, you would need to specify from where to find
the key, since the fingerprint is the same.
$ apptainer key export --armor --secret 8C10B902F438E4D504C3ACF689FCFFAED5F34A77 $HOME/mykey.asc
and on binary format instead:
$ apptainer key export --secret 8C10B902F438E4D504C3ACF689FCFFAED5F34A77 $HOME/mykey.asc
Note
Exporting keys will not change the status of your local keyring. This will just obtain the content of the keys and save it on a local file on your host.
Key remove command
In case you would want to remove a public key from your public local keystore, you can do so by running the following command:
$ apptainer key remove 8C10B902F438E4D504C3ACF689FCFFAED5F34A77
Note
Remember that this will only delete the public key and not the private one with the same matching fingerprint.