Blame SOURCES/0009-Introduce-y-assume-yes-argument-to-clevis-luks-bind.patch

64015d
From 7b1639b2194a8bfbb0daedf1cbdfc4ebef5f6b31 Mon Sep 17 00:00:00 2001
64015d
From: Sergio Correia <scorreia@redhat.com>
64015d
Date: Mon, 18 May 2020 08:36:17 -0300
64015d
Subject: [PATCH] Introduce -y (assume yes) argument to clevis luks bind
64015d
64015d
In order to simplify automated operations with e.g. ansible,
64015d
it would be helpful to have a way to automate the creation of
64015d
bindings with clevis.
64015d
64015d
In simple scenarios, it's possible to download the advertisement
64015d
from a tang server and pass it in the binding configuration, to
64015d
do the binding offline, in the following way:
64015d
64015d
curl -sfg http://tang.server/adv -o adv.jws
64015d
64015d
clevis luks bind -d /dev/sda2 tang '{"url":"http://tang.server", "adv":"adv.jws}'
64015d
64015d
However, for more complex scenarios using multiple servers with
64015d
the sss pin, it becomes a lot more complicated to do the same
64015d
thing and do the binding in an automated fashion. An alternative
64015d
would be to use expect (tcl), but it can also be complicated.
64015d
64015d
In this commit we introduce -y as a parameter to clevis luks bind,
64015d
meanining _assume yes_. Essentially, this would make it so that
64015d
the user would not have to manually trust tang key(s) by typing
64015d
y/yes.
64015d
64015d
Security-wise, it would be similar to downloading the advertisement
64015d
manually and passing it to tang as the "adv" configuration option,
64015d
something already supported.
64015d
64015d
We already have a -f parameter, so we picked something different,
64015d
not to change existing behavior and possibly break existing scripts.
64015d
---
64015d
 src/luks/clevis-luks-bind.1.adoc         |  7 +-
64015d
 src/luks/clevis-luks-bind.in             | 11 +++-
64015d
 src/luks/clevis-luks-regen               |  4 +-
64015d
 src/luks/tests/assume-yes-luks1          | 81 ++++++++++++++++++++++++
64015d
 src/luks/tests/assume-yes-luks2          | 81 ++++++++++++++++++++++++
64015d
 src/luks/tests/meson.build               |  2 +
64015d
 src/pins/sss/clevis-encrypt-sss.1.adoc   | 14 +++-
64015d
 src/pins/sss/clevis-encrypt-sss.c        | 30 ++++++---
64015d
 src/pins/tang/clevis-encrypt-tang        | 35 ++++++----
64015d
 src/pins/tang/clevis-encrypt-tang.1.adoc | 11 +++-
64015d
 10 files changed, 246 insertions(+), 30 deletions(-)
64015d
 create mode 100755 src/luks/tests/assume-yes-luks1
64015d
 create mode 100755 src/luks/tests/assume-yes-luks2
64015d
64015d
diff --git a/src/luks/clevis-luks-bind.1.adoc b/src/luks/clevis-luks-bind.1.adoc
64015d
index 336c0f4..438e517 100644
64015d
--- a/src/luks/clevis-luks-bind.1.adoc
64015d
+++ b/src/luks/clevis-luks-bind.1.adoc
64015d
@@ -9,7 +9,7 @@ clevis-luks-bind - Bind a LUKS device using the specified policy
64015d
 
64015d
 == SYNOPSIS
64015d
 
64015d
-*clevis luks bind* [-f] -d DEV [-s SLT] [-k KEY] PIN CFG
64015d
+*clevis luks bind* [-f] [-y] -d DEV [-s SLT] [-k KEY] PIN CFG
64015d
 
64015d
 == OVERVIEW
64015d
 
64015d
@@ -34,6 +34,11 @@ Clevis LUKS unlockers. See link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlock
64015d
 * *-f* :
64015d
   Do not prompt for LUKSMeta initialization
64015d
 
64015d
+* *-y* :
64015d
+  Automatically answer yes for all questions. When using _tang_, it
64015d
+  causes the advertisement trust check to be skipped, which can be
64015d
+  useful in automated deployments
64015d
+
64015d
 * *-d* _DEV_ :
64015d
   The LUKS device on which to perform binding
64015d
 
64015d
diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in
64015d
index 89a5e22..8b8b5ee 100755
64015d
--- a/src/luks/clevis-luks-bind.in
64015d
+++ b/src/luks/clevis-luks-bind.in
64015d
@@ -33,12 +33,14 @@ function luks2_supported() {
64015d
 function usage() {
64015d
     exec >&2
64015d
     echo
64015d
-    echo "Usage: clevis luks bind [-f] [-s SLT] [-k KEY] -d DEV PIN CFG"
64015d
+    echo "Usage: clevis luks bind [-f] [-y] [-s SLT] [-k KEY] -d DEV PIN CFG"
64015d
     echo
64015d
     echo "$SUMMARY":
64015d
     echo
64015d
     echo "  -f      Do not prompt for LUKSMeta initialization"
64015d
     echo
64015d
+    echo "  -y      Automatically answer yes for all questions"
64015d
+    echo
64015d
     echo "  -d DEV  The LUKS device on which to perform binding"
64015d
     echo
64015d
     echo "  -s SLT  The LUKS slot to use"
64015d
@@ -55,12 +57,15 @@ if [ $# -eq 1 ] && [ "$1" == "--summary" ]; then
64015d
 fi
64015d
 
64015d
 FRC=()
64015d
-while getopts ":hfd:s:k:" o; do
64015d
+YES=()
64015d
+while getopts ":fyd:s:k:" o; do
64015d
     case "$o" in
64015d
     f) FRC+=(-f);;
64015d
     d) DEV="$OPTARG";;
64015d
     s) SLT="$OPTARG";;
64015d
     k) KEY="$OPTARG";;
64015d
+    y) FRC+=(-f)
64015d
+       YES+=(-y);;
64015d
     *) usage;;
64015d
     esac
64015d
 done
64015d
@@ -139,7 +144,7 @@ cryptsetup luksDump "$DEV" \
64015d
 )")"
64015d
 
64015d
 # Encrypt the new key
64015d
-jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG")"
64015d
+jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"
64015d
 
64015d
 # If necessary, initialize the LUKS volume
64015d
 if [ "$luks_type" == "luks1" ] && ! luksmeta test -d "$DEV"; then
64015d
diff --git a/src/luks/clevis-luks-regen b/src/luks/clevis-luks-regen
64015d
index 44fd673..6071d85 100755
64015d
--- a/src/luks/clevis-luks-regen
64015d
+++ b/src/luks/clevis-luks-regen
64015d
@@ -110,7 +110,7 @@ if ! new_passphrase=$(generate_key "${DEV}"); then
64015d
 fi
64015d
 
64015d
 # Reencrypt the new password.
64015d
-if ! jwe=$(clevis encrypt "${PIN}" "${CFG}" <<< "${new_passphrase}"); then
64015d
+if ! jwe="$(clevis encrypt "${PIN}" "${CFG}" <<< "${new_passphrase}")"; then
64015d
     echo "Error using pin '${PIN}' with config '${CFG}'" >&2
64015d
     exit 1
64015d
 fi
64015d
@@ -176,7 +176,7 @@ fi
64015d
 # Now make sure that we can unlock this device after the change.
64015d
 # If we can't, undo the changes.
64015d
 if ! cryptsetup open --test-passphrase --key-slot "${SLT}" "${DEV}" 2>/dev/null \
64015d
-        <<< $(clevis luks pass -d "${DEV}" -s "${SLT}" 2>/dev/null); then
64015d
+        <<< "$(clevis luks pass -d "${DEV}" -s "${SLT}" 2>/dev/null)"; then
64015d
     echo "Invalid configuration detected after rebinding. Reverting changes."
64015d
     restore_device "${DEV}" "${TMP}"
64015d
     exit 1
64015d
diff --git a/src/luks/tests/assume-yes-luks1 b/src/luks/tests/assume-yes-luks1
64015d
new file mode 100755
64015d
index 0000000..ad9dea4
64015d
--- /dev/null
64015d
+++ b/src/luks/tests/assume-yes-luks1
64015d
@@ -0,0 +1,81 @@
64015d
+#!/bin/bash -ex
64015d
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
64015d
+#
64015d
+# Copyright (c) 2020 Red Hat, Inc.
64015d
+# Author: Sergio Correia <scorreia@redhat.com>
64015d
+#
64015d
+# This program is free software: you can redistribute it and/or modify
64015d
+# it under the terms of the GNU General Public License as published by
64015d
+# the Free Software Foundation, either version 3 of the License, or
64015d
+# (at your option) any later version.
64015d
+#
64015d
+# This program is distributed in the hope that it will be useful,
64015d
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
64015d
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
64015d
+# GNU General Public License for more details.
64015d
+#
64015d
+# You should have received a copy of the GNU General Public License
64015d
+# along with this program.  If not, see <http: www.gnu.org="" licenses=""/>.
64015d
+
64015d
+TEST=$(basename "${0}")
64015d
+. tests-common-functions
64015d
+
64015d
+. clevis-luks-common-functions
64015d
+
64015d
+on_exit() {
64015d
+    local d
64015d
+    for d in "${TMP}" "${TMP2}"; do
64015d
+        [ ! -d "${d}" ] && continue
64015d
+        tang_stop "${d}"
64015d
+        rm -rf "${d}"
64015d
+    done
64015d
+}
64015d
+
64015d
+trap 'on_exit' EXIT
64015d
+trap 'on_exit' ERR
64015d
+
64015d
+TMP="$(mktemp -d)"
64015d
+
64015d
+port=$(get_random_port)
64015d
+tang_run "${TMP}" "${port}" &
64015d
+tang_wait_until_ready "${port}"
64015d
+
64015d
+url="http://${TANG_HOST}:${port}"
64015d
+
64015d
+cfg=$(printf '{"url":"%s"}' "$url")
64015d
+
64015d
+# LUKS1.
64015d
+DEV="${TMP}/luks1-device"
64015d
+new_device "luks1" "${DEV}"
64015d
+
64015d
+if ! clevis luks bind -y -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
64015d
+    error "${TEST}: Bind should have succeeded."
64015d
+fi
64015d
+
64015d
+if ! clevis_luks_unlock_device "${DEV}"; then
64015d
+    error "${TEST}: we were unable to unlock ${DEV}."
64015d
+fi
64015d
+
64015d
+# Let's use a second tang server to test the sss pin.
64015d
+TMP2="$(mktemp -d)"
64015d
+
64015d
+port2=$(get_random_port)
64015d
+tang_run "${TMP2}" "${port2}" &
64015d
+tang_wait_until_ready "${port2}"
64015d
+
64015d
+url2="http://${TANG_HOST}:${port2}"
64015d
+
64015d
+cfg2=$(printf '{"t":1,"pins":{"tang":[{"url":"%s"},{"url":"%s"}]}}' \
64015d
+       "${url1}" "${url2}")
64015d
+
64015d
+# LUKS1.
64015d
+new_device "luks1" "${DEV}"
64015d
+# Now let's test the sss pin with the two test tang servers we deployed.
64015d
+if ! clevis luks bind -y -d "${DEV}" sss "${cfg2}" <<< "${DEFAULT_PASS}"; then
64015d
+    error "${TEST}: Bind should have succeeded."
64015d
+fi
64015d
+
64015d
+# Unlock should still work now.
64015d
+if ! clevis_luks_unlock_device "${DEV}"; then
64015d
+    error "${TEST}: we should still be able to unlock ${DEV}"
64015d
+fi
64015d
diff --git a/src/luks/tests/assume-yes-luks2 b/src/luks/tests/assume-yes-luks2
64015d
new file mode 100755
64015d
index 0000000..5c0edc3
64015d
--- /dev/null
64015d
+++ b/src/luks/tests/assume-yes-luks2
64015d
@@ -0,0 +1,81 @@
64015d
+#!/bin/bash -ex
64015d
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
64015d
+#
64015d
+# Copyright (c) 2020 Red Hat, Inc.
64015d
+# Author: Sergio Correia <scorreia@redhat.com>
64015d
+#
64015d
+# This program is free software: you can redistribute it and/or modify
64015d
+# it under the terms of the GNU General Public License as published by
64015d
+# the Free Software Foundation, either version 3 of the License, or
64015d
+# (at your option) any later version.
64015d
+#
64015d
+# This program is distributed in the hope that it will be useful,
64015d
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
64015d
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
64015d
+# GNU General Public License for more details.
64015d
+#
64015d
+# You should have received a copy of the GNU General Public License
64015d
+# along with this program.  If not, see <http: www.gnu.org="" licenses=""/>.
64015d
+
64015d
+TEST=$(basename "${0}")
64015d
+. tests-common-functions
64015d
+
64015d
+. clevis-luks-common-functions
64015d
+
64015d
+on_exit() {
64015d
+    local d
64015d
+    for d in "${TMP}" "${TMP2}"; do
64015d
+        [ ! -d "${d}" ] && continue
64015d
+        tang_stop "${d}"
64015d
+        rm -rf "${d}"
64015d
+    done
64015d
+}
64015d
+
64015d
+trap 'on_exit' EXIT
64015d
+trap 'on_exit' ERR
64015d
+
64015d
+TMP="$(mktemp -d)"
64015d
+
64015d
+port=$(get_random_port)
64015d
+tang_run "${TMP}" "${port}" &
64015d
+tang_wait_until_ready "${port}"
64015d
+
64015d
+url="http://${TANG_HOST}:${port}"
64015d
+
64015d
+cfg=$(printf '{"url":"%s"}' "$url")
64015d
+
64015d
+# LUKS2.
64015d
+DEV="${TMP}/luks2-device"
64015d
+new_device "luks2" "${DEV}"
64015d
+
64015d
+if ! clevis luks bind -y -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
64015d
+    error "${TEST}: Bind should have succeeded."
64015d
+fi
64015d
+
64015d
+if ! clevis_luks_unlock_device "${DEV}"; then
64015d
+    error "${TEST}: we were unable to unlock ${DEV}."
64015d
+fi
64015d
+
64015d
+# Let's use a second tang server to test the sss pin.
64015d
+TMP2="$(mktemp -d)"
64015d
+
64015d
+port2=$(get_random_port)
64015d
+tang_run "${TMP2}" "${port2}" &
64015d
+tang_wait_until_ready "${port2}"
64015d
+
64015d
+url2="http://${TANG_HOST}:${port2}"
64015d
+
64015d
+cfg2=$(printf '{"t":1,"pins":{"tang":[{"url":"%s"},{"url":"%s"}]}}' \
64015d
+       "${url1}" "${url2}")
64015d
+
64015d
+# LUKS2.
64015d
+new_device "luks2" "${DEV}"
64015d
+# Now let's test the sss pin with the two test tang servers we deployed.
64015d
+if ! clevis luks bind -y -d "${DEV}" sss "${cfg2}" <<< "${DEFAULT_PASS}"; then
64015d
+    error "${TEST}: Bind should have succeeded."
64015d
+fi
64015d
+
64015d
+# Unlock should still work now.
64015d
+if ! clevis_luks_unlock_device "${DEV}"; then
64015d
+    error "${TEST}: we should still be able to unlock ${DEV}"
64015d
+fi
64015d
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
64015d
index dbef9bf..4795488 100644
64015d
--- a/src/luks/tests/meson.build
64015d
+++ b/src/luks/tests/meson.build
64015d
@@ -85,6 +85,7 @@ endif
64015d
 
64015d
 if has_tang
64015d
   test('unlock-tang-luks1', find_program('unlock-tang-luks1'), env: env, timeout: 90)
64015d
+  test('assume-yes-luks1', find_program('assume-yes-luks1'), env: env)
64015d
 endif
64015d
 test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env)
64015d
 test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env)
64015d
@@ -108,6 +109,7 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0'
64015d
 
64015d
   if has_tang
64015d
     test('unlock-tang-luks2', find_program('unlock-tang-luks2'), env: env, timeout: 120)
64015d
+    test('assume-yes-luks2', find_program('assume-yes-luks2'), env: env, timeout: 60)
64015d
   endif
64015d
   test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
64015d
   test('backup-restore-luks2', find_program('backup-restore-luks2'), env:env, timeout: 90)
64015d
diff --git a/src/pins/sss/clevis-encrypt-sss.1.adoc b/src/pins/sss/clevis-encrypt-sss.1.adoc
64015d
index 7144e7e..7152144 100644
64015d
--- a/src/pins/sss/clevis-encrypt-sss.1.adoc
64015d
+++ b/src/pins/sss/clevis-encrypt-sss.1.adoc
64015d
@@ -5,11 +5,11 @@ CLEVIS-ENCRYPT-SSS(1)
64015d
 
64015d
 == NAME
64015d
 
64015d
-clevis-encrypt-sss - Encrypts using a Shamir's Secret Sharing policy 
64015d
+clevis-encrypt-sss - Encrypts using a Shamir's Secret Sharing policy
64015d
 
64015d
 == SYNOPSIS
64015d
 
64015d
-*clevis encrypt sss* CONFIG < PT > JWE
64015d
+*clevis encrypt sss* CONFIG [-y] < PT > JWE
64015d
 
64015d
 == OVERVIEW
64015d
 
64015d
@@ -52,6 +52,16 @@ The format of the *pins* property is as follows:
64015d
 When the list version of the format is used, multiple pins of that type will
64015d
 receive key fragments.
64015d
 
64015d
+== OPTIONS
64015d
+
64015d
+* *-y* :
64015d
+  Automatically answer yes for all questions. For the _tang_ pin, it will
64015d
+  skip the advertisement trust check, which can be useful in automated
64015d
+  deployments:
64015d
+
64015d
+    $ cfg='{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}'
64015d
+    $ clevis encrypt sss "$cfg" -y < PT > JWE
64015d
+
64015d
 == SEE ALSO
64015d
 
64015d
 link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
64015d
diff --git a/src/pins/sss/clevis-encrypt-sss.c b/src/pins/sss/clevis-encrypt-sss.c
64015d
index d6f2c2c..531e918 100644
64015d
--- a/src/pins/sss/clevis-encrypt-sss.c
64015d
+++ b/src/pins/sss/clevis-encrypt-sss.c
64015d
@@ -86,9 +86,9 @@ npins(json_t *pins)
64015d
 }
64015d
 
64015d
 static json_t *
64015d
-encrypt_frag(json_t *sss, const char *pin, const json_t *cfg)
64015d
+encrypt_frag(json_t *sss, const char *pin, const json_t *cfg, int assume_yes)
64015d
 {
64015d
-    char *args[] = { "clevis", "encrypt", (char *) pin, NULL, NULL };
64015d
+    char *args[] = { "clevis", "encrypt", (char *) pin, NULL, NULL, NULL };
64015d
     json_auto_t *jwe = json_string("");
64015d
     str_auto_t *str = NULL;
64015d
     uint8_t *pnt = NULL;
64015d
@@ -100,6 +100,10 @@ encrypt_frag(json_t *sss, const char *pin, const json_t *cfg)
64015d
     if (!str)
64015d
         return NULL;
64015d
 
64015d
+    if (assume_yes) {
64015d
+        args[4] = "-y";
64015d
+    }
64015d
+
64015d
     pnt = sss_point(sss, &pntl);
64015d
     if (!pnt)
64015d
         return NULL;
64015d
@@ -137,7 +141,7 @@ encrypt_frag(json_t *sss, const char *pin, const json_t *cfg)
64015d
 }
64015d
 
64015d
 static json_t *
64015d
-encrypt_frags(json_int_t t, json_t *pins)
64015d
+encrypt_frags(json_int_t t, json_t *pins, int assume_yes)
64015d
 {
64015d
     const char *pname = NULL;
64015d
     json_auto_t *sss = NULL;
64015d
@@ -172,7 +176,7 @@ encrypt_frags(json_int_t t, json_t *pins)
64015d
         json_array_foreach(pcfgs, i, pcfg) {
64015d
             json_auto_t *jwe = NULL;
64015d
 
64015d
-            jwe = encrypt_frag(sss, pname, pcfg);
64015d
+            jwe = encrypt_frag(sss, pname, pcfg, assume_yes);
64015d
             if (!jwe)
64015d
                 return NULL;
64015d
 
64015d
@@ -201,14 +205,24 @@ main(int argc, char *argv[])
64015d
     const char *iv = NULL;
64015d
     json_t *pins = NULL;
64015d
     json_int_t t = 1;
64015d
+    int assume_yes = 0;
64015d
 
64015d
     if (argc == 2 && strcmp(argv[1], "--summary") == 0) {
64015d
         fprintf(stdout, "%s\n", SUMMARY);
64015d
         return EXIT_SUCCESS;
64015d
     }
64015d
 
64015d
-    if (isatty(STDIN_FILENO) || argc != 2)
64015d
-        goto usage;
64015d
+    if (isatty(STDIN_FILENO) || argc != 2) {
64015d
+        if (argc != 3) {
64015d
+            goto usage;
64015d
+        }
64015d
+
64015d
+        if (strcmp(argv[2], "-y") == 0) {
64015d
+            assume_yes = 1;
64015d
+        } else if (strlen(argv[2]) > 0) {
64015d
+            goto usage;
64015d
+        }
64015d
+    }
64015d
 
64015d
     /* Parse configuration. */
64015d
     cfg = json_loads(argv[1], 0, NULL);
64015d
@@ -228,7 +242,7 @@ main(int argc, char *argv[])
64015d
         return EXIT_FAILURE;
64015d
     }
64015d
 
64015d
-    sss = encrypt_frags(t, pins);
64015d
+    sss = encrypt_frags(t, pins, assume_yes);
64015d
     if (!sss)
64015d
         return EXIT_FAILURE;
64015d
 
64015d
@@ -287,7 +301,7 @@ main(int argc, char *argv[])
64015d
 
64015d
 usage:
64015d
     fprintf(stderr, "\n");
64015d
-    fprintf(stderr, "Usage: clevis encrypt sss CONFIG < PLAINTEXT > JWE\n");
64015d
+    fprintf(stderr, "Usage: clevis encrypt sss CONFIG [-y] < PLAINTEXT > JWE\n");
64015d
     fprintf(stderr, "\n");
64015d
     fprintf(stderr, "%s\n", SUMMARY);
64015d
     fprintf(stderr, "\n");
64015d
diff --git a/src/pins/tang/clevis-encrypt-tang b/src/pins/tang/clevis-encrypt-tang
64015d
index 378b25d..4a43f1f 100755
64015d
--- a/src/pins/tang/clevis-encrypt-tang
64015d
+++ b/src/pins/tang/clevis-encrypt-tang
64015d
@@ -28,10 +28,14 @@ fi
64015d
 if [ -t 0 ]; then
64015d
     exec >&2
64015d
     echo
64015d
-    echo "Usage: clevis encrypt tang CONFIG < PLAINTEXT > JWE"
64015d
+    echo "Usage: clevis encrypt tang CONFIG [-y] < PLAINTEXT > JWE"
64015d
     echo
64015d
     echo "$SUMMARY"
64015d
     echo
64015d
+    echo "  -y              Use this option for skipping the advertisement"
64015d
+    echo "                  trust check. This can be useful in automated"
64015d
+    echo "                  deployments"
64015d
+    echo
64015d
     echo "This command uses the following configuration properties:"
64015d
     echo
64015d
     echo "  url: <string>   The base URL of the Tang server (REQUIRED)"
64015d
@@ -60,6 +64,9 @@ if ! cfg="$(jose fmt -j- -Oo- <<< "$1" 2>/dev/null)"; then
64015d
     exit 1
64015d
 fi
64015d
 
64015d
+trust=
64015d
+[ -n "${2}" ] && [ "${2}" == "-y" ] && trust=yes
64015d
+
64015d
 if ! url="$(jose fmt -j- -Og url -u- <<< "$cfg")"; then
64015d
     echo "Missing the required 'url' property!" >&2
64015d
     exit 1
64015d
@@ -100,18 +107,20 @@ if ! jose jws ver -i "$jws" -k- -a <<< "$ver"; then
64015d
 fi
64015d
 
64015d
 ### Check advertisement trust
64015d
-if [ -z "$thp" ]; then
64015d
-    echo "The advertisement contains the following signing keys:" >&2
64015d
-    echo >&2
64015d
-    jose jwk thp -i- <<< "$ver" >&2
64015d
-    echo >&2
64015d
-    read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
64015d
-    [[ "$ans" =~ ^[yY]$ ]] || exit 1
64015d
-
64015d
-elif [ "$thp" != "any" ] && \
64015d
-    ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
64015d
-    echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
64015d
-    exit 1
64015d
+if [ -z "${trust}" ]; then
64015d
+    if [ -z "$thp" ]; then
64015d
+        echo "The advertisement contains the following signing keys:" >&2
64015d
+        echo >&2
64015d
+        jose jwk thp -i- <<< "$ver" >&2
64015d
+        echo >&2
64015d
+        read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
64015d
+        [[ "$ans" =~ ^[yY]$ ]] || exit 1
64015d
+
64015d
+    elif [ "$thp" != "any" ] && \
64015d
+        ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
64015d
+        echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
64015d
+        exit 1
64015d
+    fi
64015d
 fi
64015d
 
64015d
 ### Perform encryption
64015d
diff --git a/src/pins/tang/clevis-encrypt-tang.1.adoc b/src/pins/tang/clevis-encrypt-tang.1.adoc
64015d
index 276575f..c34d109 100644
64015d
--- a/src/pins/tang/clevis-encrypt-tang.1.adoc
64015d
+++ b/src/pins/tang/clevis-encrypt-tang.1.adoc
64015d
@@ -9,7 +9,7 @@ clevis-encrypt-tang - Encrypts using a Tang binding server policy
64015d
 
64015d
 == SYNOPSIS
64015d
 
64015d
-*clevis encrypt tang* CONFIG < PT > JWE
64015d
+*clevis encrypt tang* CONFIG [-y] < PT > JWE
64015d
 
64015d
 == OVERVIEW
64015d
 
64015d
@@ -76,6 +76,15 @@ This command uses the following configuration properties:
64015d
 * *adv* (object) :
64015d
   A trusted advertisement (raw JSON)
64015d
 
64015d
+== OPTIONS
64015d
+
64015d
+* *-y* :
64015d
+  Automatically answer yes for all questions. Use this option for skipping
64015d
+  the advertisement trust check. This can be useful in automated deployments:
64015d
+
64015d
+    $ clevis encrypt tang '{"url":...}' -y < PT > JWE
64015d
+
64015d
+
64015d
 == SEE ALSO
64015d
 
64015d
 link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
64015d
-- 
64015d
2.18.4
64015d