kinvolk
[WIP] Check GnuPG signature of CoreOS image
Verify GnuPG signature of downloaded CoreOS image. systemd-nspawn/machinectl doesn't have a functionality of checking downloaded images by GPG signatures. We need to download the image and validate it by ourselves and then import it by machinectl.
Also introduce a command line option --image-gpg-verify for kube-spawn create. This option is set to true by default. Any user who wants to disable gpg verification can set this option to false: --image-gpg-verify=false.
This PR is based on https://github.com/kinvolk/kube-spawn/pull/131 by @nhlfr. First I rebased it on top of master, which needed a bit of work, as the project structure has changed a lot recently. After that I decided to simplify the openpgp logic. Please let me know if anything is wrong. A couple of test results looked good to me.
Supersedes https://github.com/kinvolk/kube-spawn/pull/131 Fixes https://github.com/kinvolk/kube-spawn/issues/107
But most importantly: like this, kube-spawn overwrites my $HOME/.gnupg with a new keyring, since it's run with sudo -E (i.e. $HOME points to /home/user). So since I haven't looked at the code carefully before testing, this just wiped out my user's GPG keyring and setup and I need to recover it from backup :(
Whoa, sorry about that. :( We need to be able to avoid this case.