- can never set an invalid repo, so we can remove the failed builder state
- once a builder is "finished", it's swapped out with one that has no state and cannot be modified
- add builder tests for the negative path cases where builder should error
- fix bug with GenerateSnapshot where we didn't check for a targets to be loaded when generating for the first time
This also adds some negative path tests (cases in which the builder errors due to invalid input or things not being loaded)
Signed-off-by: Ying Li <ying.li@docker.com>
cached version numbers to check downloaded version numbers of cached data
validates against the old builder.
This also removes the `GetRepo` function of the builder and adds some data
accessors instead that are necessary to do a consistent download and check
versions, that way the downloader doesn't need to fish around in the repo
itself for data in order to figure out what to download.
Signed-off-by: Ying Li <ying.li@docker.com>
This means that the server cannot accept any roots not signed by an
x509 key whose GUN doesn't match the GUN being updated.
Signed-off-by: Ying Li <ying.li@docker.com>
Delete the remaining TUF client download tests because they are already covered by
the client update tests.
Signed-off-by: Ying Li <ying.li@docker.com>
Also add a few tuf/client/client_test tests back that checks for download failure
if the local timestamp or snapshot is missing in the local TUF repo.
Signed-off-by: Ying Li <ying.li@docker.com>
already have a ErrMismatchedChecksum in tuf/data/errors.
Also, have the CheckHashes function take a role name so that the
ErrMismatchedChecksum error can include the role name.
Signed-off-by: Ying Li <ying.li@docker.com>
signed.VerifySignatures. So remove signed.VerifyRoot and just use signed.VerifySignatures
instead. Also, to fix some tests, add an additional check for version when validating
metadata since versions can't be negative.
Signed-off-by: Ying Li <ying.li@docker.com>
NotaryRepository can now list root certificates, and
generate new versions (as changelists to be applied
on Publish).
This is a pretty mechanical encapsulation of the
root certificate rotation support in Repo.AddBaseKeys
and Repo.RemoveBaseKeys. The only slightly interesting
part is ListRootCert, which requires on-line access
to ensure fresh data, and depends on CertStore doing
some verification for us.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Tell signed.Sign how many signatures are necessary to sign a role, and
have it fail if it cannot create that many.
For most uses this does not make much of a difference because the
threshold tends to be 1 and signed.Sign was already failing if no key
could be found or if no signature could be created; only >1-threshold
roles now (correctly) fail in additional situations. But the knowledge
of a role’s threshold will be useful in a future commit.
Always use ErrInsufficientSignatures for this failure, whether this is
when loading the keys or actually using them (also fixing
ErrInsufficentSignature documentation to refer to signing and not
verification). ErrNoKeys is no longer returned by signed.Sign.
So, adjust the “snapshot key is not available” logic in
NotaryRepository.Publish accordingly, which also makes it more precise
(actually triggering only when no snapshot key is available).
Now that role's threshold is enforced when signing, update
TestValidateRootInvalidTimestampThreshold to create the second key
necessary to correctly sign the timestamp role.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
ignores buildtags, for instance, and somehow didn't pick up some code in
the signer.
This calls golint on every go file in the repo and also fixes some linting
issues, which involves renaming two yubikey functions to avoid stuttering.
Signed-off-by: Ying Li <ying.li@docker.com>
Ying Li
Riyaz Faizullabhoy
Miloslav Trmač
HuKeping
David Lawrence