give the CLI a way to verify CVM pubkey #3
Description
When sending encrypted secrets to the application, right now the CLI just fetches the public key from the tproxy.
phala-cloud-cli/src/tee/phala-cloud.ts
Line 230 in 312b15d
This opens up a "Rogue Certificate" man in the middle attack where a CA (or the owner of the tproxy domain) issues a malicious certificate. This could be used to steal the encrypted secrets. Basically the problem is introducing a reliance on the TLS PKI system in a core component that didn't need it.
One way to fix this is by passing the encryption key itself as a parameter or env var for the CLI.
Another way is to get a reference value for the "public key fingerprint" of the tproxy TLS certificate. The CLI could then extract the public key from the certificate and check it against the fingerprint. For python like this CLI it could be patched just by using some custom https session into axios.post.
https://stackoverflow.com/questions/16903528/how-to-get-response-ssl-certificate-from-requests-in-python/52072170#52072170
I think the best place to get the reference values will ultimately be the on-chain KMS but less clear of a next step (include a light client in this cli too?)