gcloud alpha container binauthz attestors public-keys

NAME
gcloud alpha container binauthz attestors public-keys - create and manage public keys associated with Attestation Authorities
SYNOPSIS
gcloud alpha container binauthz attestors public-keysCOMMAND[GCLOUD_WIDE_FLAG]
EXAMPLES
GPG is a common tool that implements the PGP standard.

To get the fingerprint of the public key:

gpg--with-colons--with-fingerprint--force-v4-certs--list-keys"${ATTESTING_USER}"|grepfpr|cut--delimiter=':'--fields10

To export a public key:

gpg--armor--export"${FINGERPRINT}"--outputpublic_key1.pgp

To add your new key to the attestor:

gcloudalphacontainerbinauthzattestorspublic-keysadd--attestormy_attestor--pgp-public-key-file=public_key1.pgp

To add a subkey to your PGP key:

gpg--quick-add-key${FINGERPRINT}defaultsignFOLLOWPROMPTS

To revoke a subkey from your PGP key:

gpg--edit-key${FINGERPRINT}SNIP…secrsa2048/8C124F0F782DA097created:2018-01-01expires:neverusage:SCEAtrust:ultimatevalidity:ultimatessbrsa3072/C9597E8F28359AE3created:2018-01-01expires:neverusage:E[ultimate](1).User<attesting_user@example.com>gpg>keyC9597E8F28359AE3…SNIP…gpg>revkey…FOLLOWPROMPTS

To update the modified PGP key on the attestor:

gcloudalphacontainerbinauthzattestorspublic-keysupdate${FINGERPRINT}--attestor=my_attestor--pgp-public-key-file=public_key1_updated.pgp

To remove this new key from the attestor:

gcloudalphacontainerbinauthzattestorspublic-keysremove${FINGERPRINT}--attestormy_attestor
GCLOUD WIDE FLAGS
These flags are available to all commands:--help.

Run$gcloud help for details.

COMMANDS
COMMAND is one of the following:
add
(ALPHA) Add a public key to an Attestor.
remove
(ALPHA) Remove a public key from an Attestor.
update
(ALPHA) Update a public key on an Attestor.
BACKGROUND
PGP is an encryption standard used by Binary Authorization to create and verifyattestations. A PGP identity is encapsulated by a "key" which can be used tosign arbitrary data and/or verify signatures to be valid. As with otherasymmetric key cryptosystems, PGP keys have a "public" part and a "private"part.
PGP KEY STRUCTURE
An important feature of PGP keys is that they are hierarchical: Every "PGP key"is composed of a "primary" key pair and zero or more "subkey" pairs certified bythe primary. These key pairs are collectively known as the "PGP key." The"public" part of this PGP key contains the public keys of all the constituentkeys as well as all associated metadata (e.g. an email address). And, as mightbe expected, the "private" part of the PGP key contains all constituent privatekeys and metadata.

One property of subkeys is that they may be marked as "revoked" if they arecompromised or otherwise need to be retired. This does not remove the subkeyfrom the PGP key but simply adds metadata indicating this revocation. Theprimary key pair cannot be revoked by this same mechanism.

COMMON KEY STRUCTURE
The most common key structure is to have the primary key pair only used tocertify subkey pairs while the subkeys are used to encrypt and sign asnecessary. This allows the PGP key as a whole to act as a durable identity evenif an encryption key is used improperly or a signing key is compromised.
USAGE IN BINARY AUTHORIZATION
  • Authorities hold a set of PGP public keys that are used to verify attestations.
    • These must be submitted in ASCII-armored format. With GPG, this is accomplishedby adding the--armor flag to the export command.
  • If any of the public keys held by an attestor verify a given attestation, thenthe attestor considers that attestation to be valid (see gcloud alpha containerbinauthz attestations create help for more details).
    • As a result, the compromise of any constituent private key means that theattestor is at risk. The compromised subkey should be revoked and the PGP keyre-uploaded or removed from the attestor.
NOTES
This command is currently in alpha and might change without notice. If thiscommand fails with API permission errors despite specifying the correct project,you might be trying to access an API with an invitation-only early accessallowlist. These variants are also available:
gcloudcontainerbinauthzattestorspublic-keys
gcloudbetacontainerbinauthzattestorspublic-keys

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-05-07 UTC.