docker/docs - docs - Gitea: Git with a cup of tea

Commit Graph

Author	SHA1	Message	Date
Ying Li	a924ca172f	When initializing a repo, create local keys before getting remote keys. Signed-off-by: Ying Li <ying.li@docker.com>	2015-12-10 10:16:39 -08:00
Ying Li	d0e789740a	Simplify the logic to determine whether to publish the root Signed-off-by: Ying Li <ying.li@docker.com>	2015-12-10 10:16:39 -08:00
Ying Li	642cf7f353	Slight refactor of NotaryRepository.Initialize Signed-off-by: Ying Li <ying.li@docker.com>	2015-12-10 10:16:39 -08:00
Ying Li	39d79d9844	NotaryRepository.Publish supports server managing snapshot keys. When publishing, do not sign and send the snapshot metadata if the client does not have the snapshot key. If the server sends back an error, then it also does not have a snapshot key and the client should propogate the no signing key error. Signed-off-by: Ying Li <ying.li@docker.com>	2015-12-10 10:16:39 -08:00
Ying Li	4b46a34524	NotaryRepository.Intialize supports server managing snapshot keys. If configured to have the server manage the snapshot key, the snapshot key is not generated and there will be no snapshot metadata. Signed-off-by: Ying Li <ying.li@docker.com>	2015-12-10 10:16:39 -08:00
David Lawrence	26d30953c8	Merge pull request #312 from mtrmac/cert-expiration Cert expiration	2015-12-10 08:40:24 -08:00
Miloslav Trmač	bd6d937f43	Fix computation of certificate expiration Instead of 3650 days, actually use 10 years (i.e. take into account leap days). Signed-off-by: Miloslav Trmač <mitr@redhat.com>	2015-12-09 20:02:10 +01:00
Miloslav Trmač	3c6335c572	Explicitly supply validity times to certificate generation Add explicit startTime and endTime parameters to cryptoservice.GenerateCertificate and trustmanager.NewCertificate. trustmanager.NewCertificate as a low-level data manipulation function should not be hard-coding policy (10-year expiration); that policy belongs to its callers, or one more level higher to callers of cryptoservice.GenerateCertificate. These places hard-coding policy now also have an explict comment to that effect. In addition to conceptual cleanliness, this will allow writing tests of certificate expiry by generating appropriate expired or nearly-expired certificates. Tests which don't care about the policy much will continue to use the just added cryptoservice.GenerateTestingCertificate. Signed-off-by: Miloslav Trmač <mitr@redhat.com>	2015-12-09 20:02:10 +01:00
Miloslav Trmač	e19e7fc44d	Remove misleading passphrase-related error handling in NotaryRepository.Initialize: 1. It is on a path where those errors can never happen 2. The specific error handling would silently ignore the error, which can’t be right anyway. Signed-off-by: Miloslav Trmač <mitr@redhat.com>	2015-12-09 19:58:02 +01:00
Ying Li	9ef782184c	Minor refactor of NotaryRepository constructor to use more shared code. Signed-off-by: Ying Li <ying.li@docker.com>	2015-12-07 17:19:28 -08:00
Ying Li	dbcb56b3bf	Renamed keystoremanager to certs, and KeyStoreManager to Manager. Since it no longer depends upon KeyStore, nor does it manipulate keys in any way. Signed-off-by: Ying Li <ying.li@docker.com>	2015-11-23 17:19:26 -05:00
Ying Li	8432f9db07	Fixes client to report problems contacting the remote server. Currently, when listing, publishing, or getting a particular target, if the remote server errors, the client attempts to load it from a local cache. However, if there is no local cache, it just returns Metadata Not Found for listing and getting. Have it report the remote the original remote error instead of Metadata Not Found locally. Signed-off-by: Ying Li <ying.li@docker.com>	2015-11-13 05:26:00 -08:00
David Lawrence	519a2ccbe8	removing all errors that aren't in use, fixing one place in memorystore that was using a different errorcode to all other stores, pushing errors into appropriate packages Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-11-12 01:08:49 -08:00
Diogo Monica	68992ddaf5	Resolving rebase conflicts Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Diogo Monica <diogo@docker.com> (github: endophage)	2015-11-12 01:07:09 -08:00
David Lawrence	07f0065152	ask for pin when signing Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-11-12 01:06:38 -08:00
Jessica Frazelle	4648666b7c	add pkcs11 build tags Signed-off-by: Jessica Frazelle <acidburn@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Jessica Frazelle <acidburn@docker.com> (github: endophage)	2015-11-12 01:06:26 -08:00
Diogo Monica	21138e6bad	Working version of Notary and Yubikey Signed-off-by: Diogo Monica <diogo@docker.com> Remove symlinks from notary-client repo creation Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: Diogo Monica <diogo@docker.com> WIP Signed-off-by: Diogo Monica <diogo@docker.com> working yubikey integration Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage) Fixing small colon bug Signed-off-by: Diogo Monica <diogo@docker.com> Added things. Ship it. Signed-off-by: Diogo Monica <diogo@docker.com> Bringing ecdsahwcryptosigner to 2015 Signed-off-by: Diogo Monica <diogo@docker.com> Working version of notary and yubikey Signed-off-by: Diogo Monica <diogo@docker.com>	2015-11-12 01:06:09 -08:00
David Lawrence	9428beea50	expose cryptoservice in NotarySigner Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-10-30 11:08:35 -07:00
Ying Li	91d54899d7	Add a GetPrivateKey method to cryptoservice so that we can future-proof cryptoservice having multiple keystores Signed-off-by: Ying Li <ying.li@docker.com>	2015-10-29 16:34:40 -07:00
Ying Li	7dc0dbec84	Remove the cryptoservice argument to sign Signed-off-by: Ying Li <ying.li@docker.com>	2015-10-29 16:34:21 -07:00
Ying Li	a3e9558b03	1. Add docstring as to why we are trying a key ID with a GUN and one without - thanks @diogo! 2. Call NotaryRepository.cryptoService.GetKey rather than NotaryRepository.KeyStoreManager.KeyStore.GetKey Signed-off-by: Ying Li <ying.li@docker.com>	2015-10-29 16:13:23 -07:00
Ying Li	b9a4175ea9	Update the client NotaryRepository to initialize with a root key ID Signed-off-by: Ying Li <ying.li@docker.com>	2015-10-29 15:11:15 -07:00
David Lawrence	ca7988d642	fixing lint + vet things Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-10-28 16:20:08 -07:00
David Lawrence	f73560d839	creating concrete types for the various key ciphers Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-10-28 16:02:55 -07:00
David Lawrence	daa36b43b7	Merge pull request #242 from docker/unify-root-nonroot-keystore Unify root nonroot keystore	2015-10-28 13:14:19 -07:00
David Lawrence	2833a88292	adding gotuf to notary Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-10-27 16:36:06 -07:00
Ying Li	566bd3ce67	Combine the nonRootKeyStore with the rootKeyStore, and move the abstracting over the root keys directory from non-root keys directory from keystoremanager to keystore, since we're eliminating keystoremanager. Maintain the two separate directories, though, because one can't tell whether there is an old-style separate-directories structure, or if someone has a GUN that starts with tuf_keys. Signed-off-by: Ying Li <ying.li@docker.com>	2015-10-27 12:33:46 -07:00
Ying Li	402c704798	Remove symlinks from notary-client repo creation Signed-off-by: Ying Li <ying.li@docker.com>	2015-10-21 14:21:10 -07:00
David Lawrence	8a996f417a	updating godeps and notary for some syntax changes in gotuf brought on by golint Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-10-20 23:56:35 -07:00
David Lawrence	e587b0427a	test for key rotation Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-10-09 22:53:57 -07:00
David Lawrence	98cde51f18	working basic key rotation for targets and snapshot key. Command is 'notary key rotate [GUN]' Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-10-09 20:35:06 -07:00
David Lawrence	ac54370fb0	cleanup after discussing with Diogo Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-10-09 19:40:36 -07:00
David Lawrence	009400650e	minor tweaks to key rotation Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-10-09 19:24:08 -07:00
David Lawrence	959d0267ac	command skeletons in place, changelist actions implemented Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-10-09 19:24:08 -07:00
Ryan Cox	7bee606f43	Add support for 'notary status' command to show details about unpublished changes Signed-off-by: Ryan Cox <ryan.a.cox@gmail.com>	2015-10-08 22:07:36 -07:00
Diogo Mónica	33b77ea733	Merge pull request #175 from endophage/get_remote_err check error in initializing remote store	2015-08-10 10:30:08 -07:00
David Lawrence	0ece438313	server side validation during updates Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-08-05 14:00:07 -07:00
David Lawrence	3794dbf28e	check error in initializing remote store Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-31 16:20:17 -07:00
David Lawrence	529230369a	tests for changelist client helpers Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-28 11:29:46 -07:00
David Lawrence	0f322c69a2	fixing remove Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-28 10:21:14 -07:00
David Lawrence	503a1b8a6e	change error log to debug Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-23 14:24:46 -07:00
David Lawrence	6fd60f88d1	add ErrExpired to notary client to translate from gotuf ErrExpired Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-22 18:54:00 -07:00
Diogo Mónica	21a9b99e94	Merge pull request #114 from docker/invalid_password_err better error handling for invalid password	2015-07-22 15:09:53 -07:00
David Lawrence	1fc3257f6e	updating gotuf dep with some better http error handling. Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-22 13:19:52 -07:00
David Lawrence	cfe8255187	better error handling for invalid password Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-22 11:37:54 -07:00
David Lawrence	8b2888d122	latest vendored gotuf Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-21 13:57:21 -07:00
David Lawrence	b44e835275	update default expiry times to those agreed on Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-20 14:59:19 -07:00
Nathan McCauley	ff2e583439	Merge pull request #101 from dmcgowan/passphrase-util Move passphrase logic to its own package	2015-07-20 13:15:20 -07:00
Derek McGowan	c35c1ea254	Move passphrase logic to its own package The logic to retrieve passphrase is generic and may be used by directly by clients. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)	2015-07-20 13:02:05 -07:00
Diogo Mónica	a5df3c00cc	Merge pull request #89 from docker/general_cleanup WIP general cleanup	2015-07-20 12:45:03 -07:00
David Lawrence	7c05c0e334	breaking out role initialization to shorten NotaryRepository.Initialize a bit Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-20 11:47:30 -07:00
David Lawrence	20b60d9cc2	cleaning up cache vs filestore Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-20 11:47:30 -07:00
Nathan McCauley	0642da80f1	review feedback Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>	2015-07-20 11:00:24 -07:00
Nathan McCauley	f239757dfd	keystore aliasing, take 2 Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>	2015-07-20 10:58:20 -07:00
Nathan McCauley	23b7e8c6af	Update keyfilestore to use passwordRetriever Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>	2015-07-20 10:58:16 -07:00
David Lawrence	c9732dd9cb	stop targets dir being created, we don't use it Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-18 22:46:04 -07:00
David Lawrence	54d40f2ae3	updating error messages Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-18 22:25:19 -07:00
David Lawrence	5015b1f47d	fixing timestamps, clearing changelists, and the Adding target byte log Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-18 17:55:13 -07:00
David Lawrence	d453c6548d	client side of multi TUF file atomic update Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-17 17:48:06 -07:00
Aaron Lehmann	36a8f77129	Rename certificate stores to trustedCertificateStore and trustedCAStore Add convenience methods to KeyStoreManager to add certs to both cert stores. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>	2015-07-15 18:10:53 -07:00
Aaron Lehmann	e5a42d4df9	Add ExportKeysByGUN function It exports the keys for a particular GUN to a zip, encrypted with a specified passphrase. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>	2015-07-15 17:14:57 -07:00
Aaron Lehmann	a16581ecc7	Move CryptoService and UnlockedCryptoService into a cryptoservice package Move GenRootKey and GetRootCryptoService to KeyStoreManager, now that they don't depend on client-specific types. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>	2015-07-14 18:39:38 -07:00
Aaron Lehmann	6068f30145	Move caStore and certificateStore into KeyStoreManager Refactor validateRoot into KeyStoreManager. It now takes the DNS name as a parameter. When KeyStoreManager is used with a NotaryRepository, the DNS name should be the GUN of the repository. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>	2015-07-14 18:39:38 -07:00
Aaron Lehmann	d5c7c40955	Introduce a KeyStoreManager to abstract management of root and non-root key storage This structure encapsulates what used to be "rootKeyStore" and "privKeyStore". These are being moved out of NotaryRepository, so that operations like listing keys, importing keys, and exporting keys aren't tied to a NotaryRepository structure. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>	2015-07-14 18:39:38 -07:00
Diogo Monica	ead0224526	Removing commented out code Signed-off-by: Diogo Monica <diogo@docker.com>	2015-07-13 20:32:51 -07:00
Aaron Lehmann	e4704f9729	Update notary for removal of signed.Signer We now deal with CryptoServices directly instead of passing around Signers. UnlockedSigner becomes UnlockedCryptoService because it no longer contains a Signer. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>	2015-07-13 15:18:02 -07:00
Diogo Monica	a139807d89	Fixing lint Signed-off-by: Diogo Monica <diogo@docker.com>	2015-07-13 14:01:26 -07:00
Diogo Monica	765a2cf661	Refactor crypto service Signed-off-by: Diogo Monica <diogo@docker.com>	2015-07-13 13:53:47 -07:00
Diogo Monica	ba94fdd19d	Signature/key types are now used correcty and are represented by constants. Signed-off-by: Diogo Monica <diogo@docker.com>	2015-07-12 22:21:29 -07:00
Diogo Monica	085c613527	Refactored fingerprint cert and added better debugging Signed-off-by: Diogo Monica <diogo@docker.com>	2015-07-12 22:21:29 -07:00
Diogo Monica	39482c2397	Working ECDSA implementation Signed-off-by: Diogo Monica <diogo@docker.com>	2015-07-12 22:21:29 -07:00
Diogo Monica	43d0ec8a75	Initial ECDSA trustmanager methods Signed-off-by: Diogo Monica <diogo@docker.com> Splitting CryptoService into ECDSA and RSA cryptoservices Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> Working ECDSA support Signed-off-by: Diogo Monica <diogo@docker.com>	2015-07-12 22:21:29 -07:00
Derek McGowan	f292b562e2	Use logrus instead of fmt.Println Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)	2015-07-10 17:10:23 -07:00
Aaron Lehmann	f8e087a17a	Unify CryptoService and RootCryptoService Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>	2015-07-10 15:10:44 -07:00
David Lawrence	d1b09962f1	using roundtripper in notary client Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-10 10:02:38 -07:00
Diogo Monica	06a28c89ee	Added root key creation if non-existing to notary Signed-off-by: Diogo Monica <diogo@docker.com>	2015-07-09 18:56:06 -07:00
Diogo Monica	682e7ea00b	Fixing lint Signed-off-by: Diogo Monica <diogo@docker.com>	2015-07-09 17:58:55 -07:00
Aaron Lehmann	082d4f3c7c	Change NotaryRepository to honor the baseURL passed in Remove "transport", because it's not used. In the actual notary client, pass in a hard-coded URL for now (same one previously hardcoded in getRemoteStore). In tests, create a trivial HTTP server using net/http/httptest, which returns a timestamp.key file. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> Signed-off-by: Diogo Monica <diogo@docker.com>	2015-07-09 17:58:33 -07:00
Diogo Monica	8c6de46aca	Added list keys that ignores symlinks	2015-07-09 17:58:10 -07:00
David Lawrence	53ad4a7539	fixing publish Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-09 17:58:10 -07:00
Diogo Monica	4635bed2db	Major refactor of keys Signed-off-by: Diogo Monica <diogo@docker.com>	2015-07-09 17:58:10 -07:00
David Lawrence	73ca456297	annotating Publish and making it accept a password retriever function Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-09 17:58:09 -07:00
David Lawrence	6bff14a679	refactoring NotaryClient out Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-09 17:58:09 -07:00
David Lawrence	ebbb30b56c	hold unlocked signer on repository Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-09 17:58:09 -07:00
David Lawrence	c3e49afe1a	passing cert to initialize Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-09 17:58:09 -07:00
David Lawrence	6982d2f1ae	put rootSigner on repository Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-09 17:58:09 -07:00
David Lawrence	c9ab3394de	further publish updates, it pushes now, but doesn't sign roots correctly Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-09 17:58:09 -07:00
Diogo Monica	f9f11e5781	Starting the key refactor; rename UnlockedRootKey Signed-off-by: Diogo Monica <diogo@docker.com>	2015-07-09 17:58:09 -07:00
Diogo Monica	2f986f1a1b	WIP	2015-07-09 17:58:09 -07:00
Aaron Lehmann	8b1e9e0faf	Fix uninitialized privKeyStore member in NotaryRepository Store a pointer to trustmanager.KeyFileStore in CryptoService, RootCryptoService, NotaryClient, and NotaryRepository, instead of copying the KeyFileStore structure. Populate this pointer when creating a NotaryRepository. Previously, it was left uninitialized.	2015-07-09 17:58:09 -07:00
David Lawrence	12b4b3d80d	working on publish with changelist Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-09 17:58:09 -07:00
David Lawrence	1d163650a3	changelist implementation Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage) Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-09 17:58:09 -07:00
David Lawrence	9d5e988586	working refactor Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-09 17:58:08 -07:00
David Lawrence	21d45a0f8d	IDs for root are now correct Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-09 17:58:08 -07:00
David Lawrence	be6e22c355	fixes for list/lookup Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-07-09 17:58:08 -07:00
Diogo Monica	3891f724bb	Changed root directory	2015-07-09 17:58:08 -07:00
Diogo Monica	e66dc12eca	More refactor	2015-07-09 17:58:08 -07:00
Diogo Monica	93f7d9911f	Implementing ListTargets	2015-07-09 17:58:08 -07:00
Diogo Monica	30c0856266	Remove config from libnotary	2015-07-09 17:58:08 -07:00
Diogo Monica	1346296869	Initial libnotary refactor Signed-off-by: Diogo Monica <diogo@docker.com> Ported more functionality to libnotary	2015-07-09 17:57:48 -07:00

1 2 3 4

200 Commits