From 06ba32ea47f1eff2e19f048f0e66acf005dca0f3 Mon Sep 17 00:00:00 2001
From: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Date: Wed, 9 Mar 2016 11:29:29 -0800
Subject: [PATCH] Message canonical key ids on error

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
---
 tuf/tuf.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/tuf/tuf.go b/tuf/tuf.go
index 0a1912a5f5..abd6aa858b 100644
--- a/tuf/tuf.go
+++ b/tuf/tuf.go
@@ -575,8 +575,9 @@ func (tr Repo) TargetDelegations(role, path string) []*data.Role {
 // exist or if there are no signing keys.
 func (tr *Repo) VerifyCanSign(roleName string) error {
 	var (
-		role data.BaseRole
-		err  error
+		role            data.BaseRole
+		err             error
+		canonicalKeyIDs []string
 	)
 	// we only need the BaseRole part of a delegation because we're just
 	// checking KeyIDs
@@ -597,6 +598,7 @@ func (tr *Repo) VerifyCanSign(roleName string) error {
 		check := []string{keyID}
 		if canonicalID, err := utils.CanonicalKeyID(k); err == nil {
 			check = append(check, canonicalID)
+			canonicalKeyIDs = append(canonicalKeyIDs, canonicalID)
 		}
 		for _, id := range check {
 			p, _, err := tr.cryptoService.GetPrivateKey(id)
@@ -605,7 +607,7 @@ func (tr *Repo) VerifyCanSign(roleName string) error {
 			}
 		}
 	}
-	return signed.ErrNoKeys{KeyIDs: role.ListKeyIDs()}
+	return signed.ErrNoKeys{KeyIDs: canonicalKeyIDs}
 }
 
 // used for walking the targets/delegations tree, potentially modifying the underlying SignedTargets for the repo