Merge pull request #617 from docker/no-keys-canonical-id

Message canonical key ids on error
2016-03-14 15:18:46 -07:00 · 2016-03-14 15:18:46 -07:00 · cd0b43a6b8
parent ca90842799 06ba32ea47
commit cd0b43a6b8
1 changed files with 5 additions and 3 deletions
--- a/tuf/tuf.go
+++ b/tuf/tuf.go
@ -575,8 +575,9 @@ func (tr Repo) TargetDelegations(role, path string) []*data.Role {
 // exist or if there are no signing keys.
 func (tr *Repo) VerifyCanSign(roleName string) error {
 	var (
-		role data.BaseRole
-		err  error
+		role            data.BaseRole
+		err             error
+		canonicalKeyIDs []string
 	)
 	// we only need the BaseRole part of a delegation because we're just
 	// checking KeyIDs
@ -597,6 +598,7 @@ func (tr *Repo) VerifyCanSign(roleName string) error {
 		check := []string{keyID}
 		if canonicalID, err := utils.CanonicalKeyID(k); err == nil {
 			check = append(check, canonicalID)
+			canonicalKeyIDs = append(canonicalKeyIDs, canonicalID)
 		}
 		for _, id := range check {
 			p, _, err := tr.cryptoService.GetPrivateKey(id)
@ -605,7 +607,7 @@ func (tr *Repo) VerifyCanSign(roleName string) error {
 			}
 		}
 	}
-	return signed.ErrNoKeys{KeyIDs: role.ListKeyIDs()}
+	return signed.ErrNoKeys{KeyIDs: canonicalKeyIDs}
 }

 // used for walking the targets/delegations tree, potentially modifying the underlying SignedTargets for the repo