From 9c0db05e6ac15447c72d253ccef3b77f244c93d9 Mon Sep 17 00:00:00 2001
From: David Lawrence <david.lawrence@docker.com>
Date: Sun, 21 Jun 2015 13:06:03 -0700
Subject: [PATCH] updating gotuf for the VerifyRoot function

---
 Godeps/Godeps.json                            |  2 +-
 .../endophage/gotuf/signed/verify.go          | 41 +++++++++++++++++++
 2 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
index a0b32fcfd4..c3cbac6c30 100644
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@@ -47,7 +47,7 @@
 		},
 		{
 			"ImportPath": "github.com/endophage/gotuf",
-			"Rev": "36214c0646639c7f94b3151df15dc417a67a9406"
+			"Rev": "f45743d59471461fa065fd5f0c67dcc893524b9d"
 		},
 		{
 			"ImportPath": "github.com/go-sql-driver/mysql",
diff --git a/Godeps/_workspace/src/github.com/endophage/gotuf/signed/verify.go b/Godeps/_workspace/src/github.com/endophage/gotuf/signed/verify.go
index 374f0c3365..bdc3bb89d5 100644
--- a/Godeps/_workspace/src/github.com/endophage/gotuf/signed/verify.go
+++ b/Godeps/_workspace/src/github.com/endophage/gotuf/signed/verify.go
@@ -28,11 +28,52 @@ type signedMeta struct {
 	Version int    `json:"version"`
 }
 
+// VerifyRoot checks if a given root file is valid against a known set of keys.
+func VerifyRoot(s *data.Signed, minVersion int, keys map[string]*data.PublicKey, threshold int) ([]*data.PublicKey, error) {
+	if len(s.Signatures) == 0 {
+		return nil, ErrNoSignatures
+	}
+
+	var decoded map[string]interface{}
+	if err := json.Unmarshal(s.Signed, &decoded); err != nil {
+		return nil, err
+	}
+	msg, err := cjson.Marshal(decoded)
+	if err != nil {
+		return nil, err
+	}
+
+	valid := make(map[string]struct{})
+	for _, sig := range s.Signatures {
+		// make method lookup consistent with case uniformity.
+		method := strings.ToLower(sig.Method)
+		verifier, ok := Verifiers[method]
+		if !ok {
+			logrus.Debugf("continuing b/c signing method is not supported: %s\n", sig.Method)
+			continue
+		}
+
+		if err := verifier.Verify(keys[sig.KeyID], sig.Signature, msg); err != nil {
+			logrus.Debugf("continuing b/c signature was invalid\n")
+			continue
+		}
+		valid[sig.KeyID] = struct{}{}
+
+	}
+	if len(valid) < threshold {
+		return nil, ErrRoleThreshold
+	}
+	return nil, verifyMeta(s, "root", minVersion)
+}
+
 func Verify(s *data.Signed, role string, minVersion int, db *keys.KeyDB) error {
 	if err := VerifySignatures(s, role, db); err != nil {
 		return err
 	}
+	return verifyMeta(s, role, minVersion)
+}
 
+func verifyMeta(s *data.Signed, role string, minVersion int) error {
 	sm := &signedMeta{}
 	if err := json.Unmarshal(s.Signed, sm); err != nil {
 		return err