Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Currently commands that do not require online access will error if
this option is passed. Do not error anymore, just ignore.
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
This runs through the basic notary init/add/publish/etc. workflow,
and some basic key workflows.
Note that this does work with the Yubikey, in that created keys while
testing do not require touch.
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Add build tags and a check in Makefile to be sure you do not import
pkcs11 lib somewhere where it should not be. This will ensure docker
import and integration will continue to work.
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Jessica Frazelle <acidburn@docker.com> (github: endophage)
PR #242 has started requiring a passphrase for the imported key, and
recomputes the key ID, making the command-line argument redundant. So,
remove it from the command line and from the KeyStoreManager API.
Also updates the comment for KeyStoreManager.ImportRootKey, and changes
(notary key import-root) to refuse unexpected arguments instead of
silently ignoring them.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
-c was recently taken over by --configFile; using it for
--change-passphrase as well results in
panic: shorthand redefinition
So, move --change-passphrase to -p.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
over the root keys directory from non-root keys directory from keystoremanager
to keystore, since we're eliminating keystoremanager.
Maintain the two separate directories, though, because one can't tell whether
there is an old-style separate-directories structure, or if someone has a GUN
that starts with tuf_keys.
Signed-off-by: Ying Li <ying.li@docker.com>
Test for if client cert is passed without a client key and vice versa.
Fail in ConfigureClientTLS if only one of client cert/key is passed.
Lint fixes.
Signed-off-by: Ying Li <ying.li@docker.com>
if the signer is in trouble, but do not fail the health check, since
the server can operate for a while without the signer (the server will
have degraded performance, but is not down)
Signed-off-by: Ying Li <ying.li@docker.com>
(it just retries to connect, and the RPC call would just block until it does), so change up
how this works by timing out the health check.
Signed-off-by: Ying Li <ying.li@docker.com>
The default server URL can now be set using the `NOTARY_SERVER_URL`
environment variable. Specifying the `--server` parameter still
override this value.
Signed-off-by: Christophe Labouisse <christophe@labouisse.org>
Verify was making call to the server but didn't have a way to
override the default value.
Signed-off-by: Christophe Labouisse <christophe@labouisse.org>
- Export symlinks by encoding them in the zip file.
- Detect symlinks in a zip file on import and create them on the local
filesystem.
- Add test coverage.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Use the github.com/docker/distribution/context package to get a logger
that adds a unique ID and useful information about each HTTP request.
Use this logger in HTTP handlers instead of using logrus or the log
package directly.
Remove [Notary Server] and [Notary Signer] prefixes from log messages.
The distribution/context package was already vendored, so there are no
Godeps changes necessary.
Sample output:
notaryserver_1 | time="2015-07-31T23:02:01Z" level=debug msg="retrieving timestamp key for docker.com/docker"
notarysigner_1 | time="2015-07-31T23:02:01Z" level=debug msg="generated ECDSA key with keyID: ea89e7dc49a13feab1e5ed349760b148c3c6ebd86968b2bc6cb0d003a8b79f78"
notarysigner_1 | time="2015-07-31T23:02:01Z" level=debug msg="generated new ecdsa key for role: and keyID: ea89e7dc49a13feab1e5ed349760b148c3c6ebd86968b2bc6cb0d003a8b79f78"
notarysigner_1 | time="2015-07-31T23:02:01Z" level=info msg="CreateKey: Created KeyID ea89e7dc49a13feab1e5ed349760b148c3c6ebd86968b2bc6cb0d003a8b79f78"
notaryserver_1 | time="2015-07-31T23:02:01Z" level=debug msg="Creating new timestamp key for docker.com/docker. With algo: ecdsa"
notaryserver_1 | time="2015-07-31T23:02:01Z" level=debug msg="Inserting timestamp key for docker.com/docker"
notaryserver_1 | time="2015-07-31T23:02:01Z" level=debug msg="200 GET timestamp key" docker.com/docker=gun http.request.host="192.168.99.100:4443" http.request.id=a720da02-4312-48ae-b122-6d4bce9d3b20 http.request.method=GET http.request.remoteaddr="192.168.99.1:58178" http.request.uri="/v2/docker.com/docker/_trust/tuf/timestamp.key" http.request.useragent="Go 1.1 package http"
notaryserver_1 | time="2015-07-31T23:02:01Z" level=info msg="response completed" http.request.host="192.168.99.100:4443" http.request.id=a720da02-4312-48ae-b122-6d4bce9d3b20 http.request.method=GET http.request.remoteaddr="192.168.99.1:58178" http.request.uri="/v2/docker.com/docker/_trust/tuf/timestamp.key" http.request.useragent="Go 1.1 package http" http.response.duration=29.703624ms http.response.status=200 http.response.written=181
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
The key database is not generally used but only used by the signing service.
Move the implementation to the signer package to be imported by the signer.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This makes the full subcommand names smoother; for example "notary key
generate" instead of "notary keys generate".
Add a "notary key list" subcommand to list keys, so "notary key"
lists the possible subcommands, instead of needing to use "notary key
-h".
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This adds four commands:
- notary keys export: export all keys, or keys for a particular GUN
(with -g)
- notary keys export-root: export root key by ID
- notary keys import: import a zip file of keys
- notary keys import-root: import a single root key
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Ying Li
David Lawrence
Jessica Frazelle
Diogo Monica
Diogo Mónica
Miloslav Trmač
David Lawrence
Ying Li
Ryan Cox
cyli
moxiegirl
Christophe Labouisse
Joe Beda
Derek McGowan
Nathan McCauley
Aaron Lehmann