Blame SOURCES/0009-Introduce-y-assume-yes-argument-to-clevis-luks-bind.patch

95204d
From 7b1639b2194a8bfbb0daedf1cbdfc4ebef5f6b31 Mon Sep 17 00:00:00 2001
95204d
From: Sergio Correia <scorreia@redhat.com>
95204d
Date: Mon, 18 May 2020 08:36:17 -0300
95204d
Subject: [PATCH] Introduce -y (assume yes) argument to clevis luks bind
95204d
95204d
In order to simplify automated operations with e.g. ansible,
95204d
it would be helpful to have a way to automate the creation of
95204d
bindings with clevis.
95204d
95204d
In simple scenarios, it's possible to download the advertisement
95204d
from a tang server and pass it in the binding configuration, to
95204d
do the binding offline, in the following way:
95204d
95204d
curl -sfg http://tang.server/adv -o adv.jws
95204d
95204d
clevis luks bind -d /dev/sda2 tang '{"url":"http://tang.server", "adv":"adv.jws}'
95204d
95204d
However, for more complex scenarios using multiple servers with
95204d
the sss pin, it becomes a lot more complicated to do the same
95204d
thing and do the binding in an automated fashion. An alternative
95204d
would be to use expect (tcl), but it can also be complicated.
95204d
95204d
In this commit we introduce -y as a parameter to clevis luks bind,
95204d
meanining _assume yes_. Essentially, this would make it so that
95204d
the user would not have to manually trust tang key(s) by typing
95204d
y/yes.
95204d
95204d
Security-wise, it would be similar to downloading the advertisement
95204d
manually and passing it to tang as the "adv" configuration option,
95204d
something already supported.
95204d
95204d
We already have a -f parameter, so we picked something different,
95204d
not to change existing behavior and possibly break existing scripts.
95204d
---
95204d
 src/luks/clevis-luks-bind.1.adoc         |  7 +-
95204d
 src/luks/clevis-luks-bind.in             | 11 +++-
95204d
 src/luks/clevis-luks-regen               |  4 +-
95204d
 src/luks/tests/assume-yes-luks1          | 81 ++++++++++++++++++++++++
95204d
 src/luks/tests/assume-yes-luks2          | 81 ++++++++++++++++++++++++
95204d
 src/luks/tests/meson.build               |  2 +
95204d
 src/pins/sss/clevis-encrypt-sss.1.adoc   | 14 +++-
95204d
 src/pins/sss/clevis-encrypt-sss.c        | 30 ++++++---
95204d
 src/pins/tang/clevis-encrypt-tang        | 35 ++++++----
95204d
 src/pins/tang/clevis-encrypt-tang.1.adoc | 11 +++-
95204d
 10 files changed, 246 insertions(+), 30 deletions(-)
95204d
 create mode 100755 src/luks/tests/assume-yes-luks1
95204d
 create mode 100755 src/luks/tests/assume-yes-luks2
95204d
95204d
diff --git a/src/luks/clevis-luks-bind.1.adoc b/src/luks/clevis-luks-bind.1.adoc
95204d
index 336c0f4..438e517 100644
95204d
--- a/src/luks/clevis-luks-bind.1.adoc
95204d
+++ b/src/luks/clevis-luks-bind.1.adoc
95204d
@@ -9,7 +9,7 @@ clevis-luks-bind - Bind a LUKS device using the specified policy
95204d
 
95204d
 == SYNOPSIS
95204d
 
95204d
-*clevis luks bind* [-f] -d DEV [-s SLT] [-k KEY] PIN CFG
95204d
+*clevis luks bind* [-f] [-y] -d DEV [-s SLT] [-k KEY] PIN CFG
95204d
 
95204d
 == OVERVIEW
95204d
 
95204d
@@ -34,6 +34,11 @@ Clevis LUKS unlockers. See link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlock
95204d
 * *-f* :
95204d
   Do not prompt for LUKSMeta initialization
95204d
 
95204d
+* *-y* :
95204d
+  Automatically answer yes for all questions. When using _tang_, it
95204d
+  causes the advertisement trust check to be skipped, which can be
95204d
+  useful in automated deployments
95204d
+
95204d
 * *-d* _DEV_ :
95204d
   The LUKS device on which to perform binding
95204d
 
95204d
diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in
95204d
index 89a5e22..8b8b5ee 100755
95204d
--- a/src/luks/clevis-luks-bind.in
95204d
+++ b/src/luks/clevis-luks-bind.in
95204d
@@ -33,12 +33,14 @@ function luks2_supported() {
95204d
 function usage() {
95204d
     exec >&2
95204d
     echo
95204d
-    echo "Usage: clevis luks bind [-f] [-s SLT] [-k KEY] -d DEV PIN CFG"
95204d
+    echo "Usage: clevis luks bind [-f] [-y] [-s SLT] [-k KEY] -d DEV PIN CFG"
95204d
     echo
95204d
     echo "$SUMMARY":
95204d
     echo
95204d
     echo "  -f      Do not prompt for LUKSMeta initialization"
95204d
     echo
95204d
+    echo "  -y      Automatically answer yes for all questions"
95204d
+    echo
95204d
     echo "  -d DEV  The LUKS device on which to perform binding"
95204d
     echo
95204d
     echo "  -s SLT  The LUKS slot to use"
95204d
@@ -55,12 +57,15 @@ if [ $# -eq 1 ] && [ "$1" == "--summary" ]; then
95204d
 fi
95204d
 
95204d
 FRC=()
95204d
-while getopts ":hfd:s:k:" o; do
95204d
+YES=()
95204d
+while getopts ":fyd:s:k:" o; do
95204d
     case "$o" in
95204d
     f) FRC+=(-f);;
95204d
     d) DEV="$OPTARG";;
95204d
     s) SLT="$OPTARG";;
95204d
     k) KEY="$OPTARG";;
95204d
+    y) FRC+=(-f)
95204d
+       YES+=(-y);;
95204d
     *) usage;;
95204d
     esac
95204d
 done
95204d
@@ -139,7 +144,7 @@ cryptsetup luksDump "$DEV" \
95204d
 )")"
95204d
 
95204d
 # Encrypt the new key
95204d
-jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG")"
95204d
+jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"
95204d
 
95204d
 # If necessary, initialize the LUKS volume
95204d
 if [ "$luks_type" == "luks1" ] && ! luksmeta test -d "$DEV"; then
95204d
diff --git a/src/luks/clevis-luks-regen b/src/luks/clevis-luks-regen
95204d
index 44fd673..6071d85 100755
95204d
--- a/src/luks/clevis-luks-regen
95204d
+++ b/src/luks/clevis-luks-regen
95204d
@@ -110,7 +110,7 @@ if ! new_passphrase=$(generate_key "${DEV}"); then
95204d
 fi
95204d
 
95204d
 # Reencrypt the new password.
95204d
-if ! jwe=$(clevis encrypt "${PIN}" "${CFG}" <<< "${new_passphrase}"); then
95204d
+if ! jwe="$(clevis encrypt "${PIN}" "${CFG}" <<< "${new_passphrase}")"; then
95204d
     echo "Error using pin '${PIN}' with config '${CFG}'" >&2
95204d
     exit 1
95204d
 fi
95204d
@@ -176,7 +176,7 @@ fi
95204d
 # Now make sure that we can unlock this device after the change.
95204d
 # If we can't, undo the changes.
95204d
 if ! cryptsetup open --test-passphrase --key-slot "${SLT}" "${DEV}" 2>/dev/null \
95204d
-        <<< $(clevis luks pass -d "${DEV}" -s "${SLT}" 2>/dev/null); then
95204d
+        <<< "$(clevis luks pass -d "${DEV}" -s "${SLT}" 2>/dev/null)"; then
95204d
     echo "Invalid configuration detected after rebinding. Reverting changes."
95204d
     restore_device "${DEV}" "${TMP}"
95204d
     exit 1
95204d
diff --git a/src/luks/tests/assume-yes-luks1 b/src/luks/tests/assume-yes-luks1
95204d
new file mode 100755
95204d
index 0000000..ad9dea4
95204d
--- /dev/null
95204d
+++ b/src/luks/tests/assume-yes-luks1
95204d
@@ -0,0 +1,81 @@
95204d
+#!/bin/bash -ex
95204d
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
95204d
+#
95204d
+# Copyright (c) 2020 Red Hat, Inc.
95204d
+# Author: Sergio Correia <scorreia@redhat.com>
95204d
+#
95204d
+# This program is free software: you can redistribute it and/or modify
95204d
+# it under the terms of the GNU General Public License as published by
95204d
+# the Free Software Foundation, either version 3 of the License, or
95204d
+# (at your option) any later version.
95204d
+#
95204d
+# This program is distributed in the hope that it will be useful,
95204d
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
95204d
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
95204d
+# GNU General Public License for more details.
95204d
+#
95204d
+# You should have received a copy of the GNU General Public License
95204d
+# along with this program.  If not, see <http: www.gnu.org="" licenses=""/>.
95204d
+
95204d
+TEST=$(basename "${0}")
95204d
+. tests-common-functions
95204d
+
95204d
+. clevis-luks-common-functions
95204d
+
95204d
+on_exit() {
95204d
+    local d
95204d
+    for d in "${TMP}" "${TMP2}"; do
95204d
+        [ ! -d "${d}" ] && continue
95204d
+        tang_stop "${d}"
95204d
+        rm -rf "${d}"
95204d
+    done
95204d
+}
95204d
+
95204d
+trap 'on_exit' EXIT
95204d
+trap 'on_exit' ERR
95204d
+
95204d
+TMP="$(mktemp -d)"
95204d
+
95204d
+port=$(get_random_port)
95204d
+tang_run "${TMP}" "${port}" &
95204d
+tang_wait_until_ready "${port}"
95204d
+
95204d
+url="http://${TANG_HOST}:${port}"
95204d
+
95204d
+cfg=$(printf '{"url":"%s"}' "$url")
95204d
+
95204d
+# LUKS1.
95204d
+DEV="${TMP}/luks1-device"
95204d
+new_device "luks1" "${DEV}"
95204d
+
95204d
+if ! clevis luks bind -y -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
95204d
+    error "${TEST}: Bind should have succeeded."
95204d
+fi
95204d
+
95204d
+if ! clevis_luks_unlock_device "${DEV}"; then
95204d
+    error "${TEST}: we were unable to unlock ${DEV}."
95204d
+fi
95204d
+
95204d
+# Let's use a second tang server to test the sss pin.
95204d
+TMP2="$(mktemp -d)"
95204d
+
95204d
+port2=$(get_random_port)
95204d
+tang_run "${TMP2}" "${port2}" &
95204d
+tang_wait_until_ready "${port2}"
95204d
+
95204d
+url2="http://${TANG_HOST}:${port2}"
95204d
+
95204d
+cfg2=$(printf '{"t":1,"pins":{"tang":[{"url":"%s"},{"url":"%s"}]}}' \
95204d
+       "${url1}" "${url2}")
95204d
+
95204d
+# LUKS1.
95204d
+new_device "luks1" "${DEV}"
95204d
+# Now let's test the sss pin with the two test tang servers we deployed.
95204d
+if ! clevis luks bind -y -d "${DEV}" sss "${cfg2}" <<< "${DEFAULT_PASS}"; then
95204d
+    error "${TEST}: Bind should have succeeded."
95204d
+fi
95204d
+
95204d
+# Unlock should still work now.
95204d
+if ! clevis_luks_unlock_device "${DEV}"; then
95204d
+    error "${TEST}: we should still be able to unlock ${DEV}"
95204d
+fi
95204d
diff --git a/src/luks/tests/assume-yes-luks2 b/src/luks/tests/assume-yes-luks2
95204d
new file mode 100755
95204d
index 0000000..5c0edc3
95204d
--- /dev/null
95204d
+++ b/src/luks/tests/assume-yes-luks2
95204d
@@ -0,0 +1,81 @@
95204d
+#!/bin/bash -ex
95204d
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
95204d
+#
95204d
+# Copyright (c) 2020 Red Hat, Inc.
95204d
+# Author: Sergio Correia <scorreia@redhat.com>
95204d
+#
95204d
+# This program is free software: you can redistribute it and/or modify
95204d
+# it under the terms of the GNU General Public License as published by
95204d
+# the Free Software Foundation, either version 3 of the License, or
95204d
+# (at your option) any later version.
95204d
+#
95204d
+# This program is distributed in the hope that it will be useful,
95204d
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
95204d
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
95204d
+# GNU General Public License for more details.
95204d
+#
95204d
+# You should have received a copy of the GNU General Public License
95204d
+# along with this program.  If not, see <http: www.gnu.org="" licenses=""/>.
95204d
+
95204d
+TEST=$(basename "${0}")
95204d
+. tests-common-functions
95204d
+
95204d
+. clevis-luks-common-functions
95204d
+
95204d
+on_exit() {
95204d
+    local d
95204d
+    for d in "${TMP}" "${TMP2}"; do
95204d
+        [ ! -d "${d}" ] && continue
95204d
+        tang_stop "${d}"
95204d
+        rm -rf "${d}"
95204d
+    done
95204d
+}
95204d
+
95204d
+trap 'on_exit' EXIT
95204d
+trap 'on_exit' ERR
95204d
+
95204d
+TMP="$(mktemp -d)"
95204d
+
95204d
+port=$(get_random_port)
95204d
+tang_run "${TMP}" "${port}" &
95204d
+tang_wait_until_ready "${port}"
95204d
+
95204d
+url="http://${TANG_HOST}:${port}"
95204d
+
95204d
+cfg=$(printf '{"url":"%s"}' "$url")
95204d
+
95204d
+# LUKS2.
95204d
+DEV="${TMP}/luks2-device"
95204d
+new_device "luks2" "${DEV}"
95204d
+
95204d
+if ! clevis luks bind -y -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
95204d
+    error "${TEST}: Bind should have succeeded."
95204d
+fi
95204d
+
95204d
+if ! clevis_luks_unlock_device "${DEV}"; then
95204d
+    error "${TEST}: we were unable to unlock ${DEV}."
95204d
+fi
95204d
+
95204d
+# Let's use a second tang server to test the sss pin.
95204d
+TMP2="$(mktemp -d)"
95204d
+
95204d
+port2=$(get_random_port)
95204d
+tang_run "${TMP2}" "${port2}" &
95204d
+tang_wait_until_ready "${port2}"
95204d
+
95204d
+url2="http://${TANG_HOST}:${port2}"
95204d
+
95204d
+cfg2=$(printf '{"t":1,"pins":{"tang":[{"url":"%s"},{"url":"%s"}]}}' \
95204d
+       "${url1}" "${url2}")
95204d
+
95204d
+# LUKS2.
95204d
+new_device "luks2" "${DEV}"
95204d
+# Now let's test the sss pin with the two test tang servers we deployed.
95204d
+if ! clevis luks bind -y -d "${DEV}" sss "${cfg2}" <<< "${DEFAULT_PASS}"; then
95204d
+    error "${TEST}: Bind should have succeeded."
95204d
+fi
95204d
+
95204d
+# Unlock should still work now.
95204d
+if ! clevis_luks_unlock_device "${DEV}"; then
95204d
+    error "${TEST}: we should still be able to unlock ${DEV}"
95204d
+fi
95204d
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
95204d
index dbef9bf..4795488 100644
95204d
--- a/src/luks/tests/meson.build
95204d
+++ b/src/luks/tests/meson.build
95204d
@@ -85,6 +85,7 @@ endif
95204d
 
95204d
 if has_tang
95204d
   test('unlock-tang-luks1', find_program('unlock-tang-luks1'), env: env, timeout: 90)
95204d
+  test('assume-yes-luks1', find_program('assume-yes-luks1'), env: env)
95204d
 endif
95204d
 test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env)
95204d
 test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env)
95204d
@@ -108,6 +109,7 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0'
95204d
 
95204d
   if has_tang
95204d
     test('unlock-tang-luks2', find_program('unlock-tang-luks2'), env: env, timeout: 120)
95204d
+    test('assume-yes-luks2', find_program('assume-yes-luks2'), env: env, timeout: 60)
95204d
   endif
95204d
   test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
95204d
   test('backup-restore-luks2', find_program('backup-restore-luks2'), env:env, timeout: 90)
95204d
diff --git a/src/pins/sss/clevis-encrypt-sss.1.adoc b/src/pins/sss/clevis-encrypt-sss.1.adoc
95204d
index 7144e7e..7152144 100644
95204d
--- a/src/pins/sss/clevis-encrypt-sss.1.adoc
95204d
+++ b/src/pins/sss/clevis-encrypt-sss.1.adoc
95204d
@@ -5,11 +5,11 @@ CLEVIS-ENCRYPT-SSS(1)
95204d
 
95204d
 == NAME
95204d
 
95204d
-clevis-encrypt-sss - Encrypts using a Shamir's Secret Sharing policy 
95204d
+clevis-encrypt-sss - Encrypts using a Shamir's Secret Sharing policy
95204d
 
95204d
 == SYNOPSIS
95204d
 
95204d
-*clevis encrypt sss* CONFIG < PT > JWE
95204d
+*clevis encrypt sss* CONFIG [-y] < PT > JWE
95204d
 
95204d
 == OVERVIEW
95204d
 
95204d
@@ -52,6 +52,16 @@ The format of the *pins* property is as follows:
95204d
 When the list version of the format is used, multiple pins of that type will
95204d
 receive key fragments.
95204d
 
95204d
+== OPTIONS
95204d
+
95204d
+* *-y* :
95204d
+  Automatically answer yes for all questions. For the _tang_ pin, it will
95204d
+  skip the advertisement trust check, which can be useful in automated
95204d
+  deployments:
95204d
+
95204d
+    $ cfg='{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}'
95204d
+    $ clevis encrypt sss "$cfg" -y < PT > JWE
95204d
+
95204d
 == SEE ALSO
95204d
 
95204d
 link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
95204d
diff --git a/src/pins/sss/clevis-encrypt-sss.c b/src/pins/sss/clevis-encrypt-sss.c
95204d
index d6f2c2c..531e918 100644
95204d
--- a/src/pins/sss/clevis-encrypt-sss.c
95204d
+++ b/src/pins/sss/clevis-encrypt-sss.c
95204d
@@ -86,9 +86,9 @@ npins(json_t *pins)
95204d
 }
95204d
 
95204d
 static json_t *
95204d
-encrypt_frag(json_t *sss, const char *pin, const json_t *cfg)
95204d
+encrypt_frag(json_t *sss, const char *pin, const json_t *cfg, int assume_yes)
95204d
 {
95204d
-    char *args[] = { "clevis", "encrypt", (char *) pin, NULL, NULL };
95204d
+    char *args[] = { "clevis", "encrypt", (char *) pin, NULL, NULL, NULL };
95204d
     json_auto_t *jwe = json_string("");
95204d
     str_auto_t *str = NULL;
95204d
     uint8_t *pnt = NULL;
95204d
@@ -100,6 +100,10 @@ encrypt_frag(json_t *sss, const char *pin, const json_t *cfg)
95204d
     if (!str)
95204d
         return NULL;
95204d
 
95204d
+    if (assume_yes) {
95204d
+        args[4] = "-y";
95204d
+    }
95204d
+
95204d
     pnt = sss_point(sss, &pntl);
95204d
     if (!pnt)
95204d
         return NULL;
95204d
@@ -137,7 +141,7 @@ encrypt_frag(json_t *sss, const char *pin, const json_t *cfg)
95204d
 }
95204d
 
95204d
 static json_t *
95204d
-encrypt_frags(json_int_t t, json_t *pins)
95204d
+encrypt_frags(json_int_t t, json_t *pins, int assume_yes)
95204d
 {
95204d
     const char *pname = NULL;
95204d
     json_auto_t *sss = NULL;
95204d
@@ -172,7 +176,7 @@ encrypt_frags(json_int_t t, json_t *pins)
95204d
         json_array_foreach(pcfgs, i, pcfg) {
95204d
             json_auto_t *jwe = NULL;
95204d
 
95204d
-            jwe = encrypt_frag(sss, pname, pcfg);
95204d
+            jwe = encrypt_frag(sss, pname, pcfg, assume_yes);
95204d
             if (!jwe)
95204d
                 return NULL;
95204d
 
95204d
@@ -201,14 +205,24 @@ main(int argc, char *argv[])
95204d
     const char *iv = NULL;
95204d
     json_t *pins = NULL;
95204d
     json_int_t t = 1;
95204d
+    int assume_yes = 0;
95204d
 
95204d
     if (argc == 2 && strcmp(argv[1], "--summary") == 0) {
95204d
         fprintf(stdout, "%s\n", SUMMARY);
95204d
         return EXIT_SUCCESS;
95204d
     }
95204d
 
95204d
-    if (isatty(STDIN_FILENO) || argc != 2)
95204d
-        goto usage;
95204d
+    if (isatty(STDIN_FILENO) || argc != 2) {
95204d
+        if (argc != 3) {
95204d
+            goto usage;
95204d
+        }
95204d
+
95204d
+        if (strcmp(argv[2], "-y") == 0) {
95204d
+            assume_yes = 1;
95204d
+        } else if (strlen(argv[2]) > 0) {
95204d
+            goto usage;
95204d
+        }
95204d
+    }
95204d
 
95204d
     /* Parse configuration. */
95204d
     cfg = json_loads(argv[1], 0, NULL);
95204d
@@ -228,7 +242,7 @@ main(int argc, char *argv[])
95204d
         return EXIT_FAILURE;
95204d
     }
95204d
 
95204d
-    sss = encrypt_frags(t, pins);
95204d
+    sss = encrypt_frags(t, pins, assume_yes);
95204d
     if (!sss)
95204d
         return EXIT_FAILURE;
95204d
 
95204d
@@ -287,7 +301,7 @@ main(int argc, char *argv[])
95204d
 
95204d
 usage:
95204d
     fprintf(stderr, "\n");
95204d
-    fprintf(stderr, "Usage: clevis encrypt sss CONFIG < PLAINTEXT > JWE\n");
95204d
+    fprintf(stderr, "Usage: clevis encrypt sss CONFIG [-y] < PLAINTEXT > JWE\n");
95204d
     fprintf(stderr, "\n");
95204d
     fprintf(stderr, "%s\n", SUMMARY);
95204d
     fprintf(stderr, "\n");
95204d
diff --git a/src/pins/tang/clevis-encrypt-tang b/src/pins/tang/clevis-encrypt-tang
95204d
index 378b25d..4a43f1f 100755
95204d
--- a/src/pins/tang/clevis-encrypt-tang
95204d
+++ b/src/pins/tang/clevis-encrypt-tang
95204d
@@ -28,10 +28,14 @@ fi
95204d
 if [ -t 0 ]; then
95204d
     exec >&2
95204d
     echo
95204d
-    echo "Usage: clevis encrypt tang CONFIG < PLAINTEXT > JWE"
95204d
+    echo "Usage: clevis encrypt tang CONFIG [-y] < PLAINTEXT > JWE"
95204d
     echo
95204d
     echo "$SUMMARY"
95204d
     echo
95204d
+    echo "  -y              Use this option for skipping the advertisement"
95204d
+    echo "                  trust check. This can be useful in automated"
95204d
+    echo "                  deployments"
95204d
+    echo
95204d
     echo "This command uses the following configuration properties:"
95204d
     echo
95204d
     echo "  url: <string>   The base URL of the Tang server (REQUIRED)"
95204d
@@ -60,6 +64,9 @@ if ! cfg="$(jose fmt -j- -Oo- <<< "$1" 2>/dev/null)"; then
95204d
     exit 1
95204d
 fi
95204d
 
95204d
+trust=
95204d
+[ -n "${2}" ] && [ "${2}" == "-y" ] && trust=yes
95204d
+
95204d
 if ! url="$(jose fmt -j- -Og url -u- <<< "$cfg")"; then
95204d
     echo "Missing the required 'url' property!" >&2
95204d
     exit 1
95204d
@@ -100,18 +107,20 @@ if ! jose jws ver -i "$jws" -k- -a <<< "$ver"; then
95204d
 fi
95204d
 
95204d
 ### Check advertisement trust
95204d
-if [ -z "$thp" ]; then
95204d
-    echo "The advertisement contains the following signing keys:" >&2
95204d
-    echo >&2
95204d
-    jose jwk thp -i- <<< "$ver" >&2
95204d
-    echo >&2
95204d
-    read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
95204d
-    [[ "$ans" =~ ^[yY]$ ]] || exit 1
95204d
-
95204d
-elif [ "$thp" != "any" ] && \
95204d
-    ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
95204d
-    echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
95204d
-    exit 1
95204d
+if [ -z "${trust}" ]; then
95204d
+    if [ -z "$thp" ]; then
95204d
+        echo "The advertisement contains the following signing keys:" >&2
95204d
+        echo >&2
95204d
+        jose jwk thp -i- <<< "$ver" >&2
95204d
+        echo >&2
95204d
+        read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
95204d
+        [[ "$ans" =~ ^[yY]$ ]] || exit 1
95204d
+
95204d
+    elif [ "$thp" != "any" ] && \
95204d
+        ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
95204d
+        echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
95204d
+        exit 1
95204d
+    fi
95204d
 fi
95204d
 
95204d
 ### Perform encryption
95204d
diff --git a/src/pins/tang/clevis-encrypt-tang.1.adoc b/src/pins/tang/clevis-encrypt-tang.1.adoc
95204d
index 276575f..c34d109 100644
95204d
--- a/src/pins/tang/clevis-encrypt-tang.1.adoc
95204d
+++ b/src/pins/tang/clevis-encrypt-tang.1.adoc
95204d
@@ -9,7 +9,7 @@ clevis-encrypt-tang - Encrypts using a Tang binding server policy
95204d
 
95204d
 == SYNOPSIS
95204d
 
95204d
-*clevis encrypt tang* CONFIG < PT > JWE
95204d
+*clevis encrypt tang* CONFIG [-y] < PT > JWE
95204d
 
95204d
 == OVERVIEW
95204d
 
95204d
@@ -76,6 +76,15 @@ This command uses the following configuration properties:
95204d
 * *adv* (object) :
95204d
   A trusted advertisement (raw JSON)
95204d
 
95204d
+== OPTIONS
95204d
+
95204d
+* *-y* :
95204d
+  Automatically answer yes for all questions. Use this option for skipping
95204d
+  the advertisement trust check. This can be useful in automated deployments:
95204d
+
95204d
+    $ clevis encrypt tang '{"url":...}' -y < PT > JWE
95204d
+
95204d
+
95204d
 == SEE ALSO
95204d
 
95204d
 link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
95204d
-- 
95204d
2.18.4
95204d