Update push to sign with the daemon's key when no manifest is given

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)

daemon/daemon.go

@@ -895,8 +895,13 @@ func NewDaemonFromDirectory(config *Config, eng *engine.Engine) (*Daemon, error)
 		return nil, err
 	}
 
+	trustKey, err := api.LoadOrCreateTrustKey(config.TrustKeyPath)
+	if err != nil {
+		return nil, err
+	}
+
 	log.Debugf("Creating repository list")
-	repositories, err := graph.NewTagStore(path.Join(config.Root, "repositories-"+driver.String()), g)
+	repositories, err := graph.NewTagStore(path.Join(config.Root, "repositories-"+driver.String()), g, trustKey)
 	if err != nil {
 		return nil, fmt.Errorf("Couldn't create Tag store: %s", err)
 	}
@@ -961,11 +966,6 @@ func NewDaemonFromDirectory(config *Config, eng *engine.Engine) (*Daemon, error)
 		return nil, err
 	}
 
-	trustKey, err := api.LoadOrCreateTrustKey(config.TrustKeyPath)
-	if err != nil {
-		return nil, err
-	}
-
 	daemon := &Daemon{
 		ID:             trustKey.PublicKey().KeyID(),
 		repository:     daemonRepo,

graph/push.go

@@ -16,6 +16,7 @@ import (
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/registry"
 	"github.com/docker/docker/utils"
+	"github.com/docker/libtrust"
 )
 
 // Retrieve the all the images to be uploaded in the correct order
@@ -308,7 +309,26 @@ func (s *TagStore) CmdPush(job *engine.Job) engine.Status {
 		}
 
 		if len(manifestBytes) == 0 {
-			// TODO Create manifest and sign
+			mBytes, err := s.newManifest(repoInfo.LocalName, repoInfo.RemoteName, tag)
+			if err != nil {
+				return job.Error(err)
+			}
+			js, err := libtrust.NewJSONSignature(mBytes)
+			if err != nil {
+				return job.Error(err)
+			}
+
+			if err = js.Sign(s.trustKey); err != nil {
+				return job.Error(err)
+			}
+
+			signedBody, err := js.PrettySignature("signatures")
+			if err != nil {
+				return job.Error(err)
+			}
+			log.Infof("Signed manifest using daemon's key: %s", s.trustKey.KeyID())
+
+			manifestBytes = string(signedBody)
 		}
 
 		manifest, verified, err := s.verifyManifest(job.Eng, []byte(manifestBytes))

graph/tags.go

@@ -15,6 +15,7 @@ import (
 	"github.com/docker/docker/pkg/parsers"
 	"github.com/docker/docker/registry"
 	"github.com/docker/docker/utils"
+	"github.com/docker/libtrust"
 )
 
 const DEFAULTTAG = "latest"
@@ -27,6 +28,7 @@ type TagStore struct {
 	path         string
 	graph        *Graph
 	Repositories map[string]Repository
+	trustKey     libtrust.PrivateKey
 	sync.Mutex
 	// FIXME: move push/pull-related fields
 	// to a helper type
@@ -54,7 +56,7 @@ func (r Repository) Contains(u Repository) bool {
 	return true
 }
 
-func NewTagStore(path string, graph *Graph) (*TagStore, error) {
+func NewTagStore(path string, graph *Graph, key libtrust.PrivateKey) (*TagStore, error) {
 	abspath, err := filepath.Abs(path)
 	if err != nil {
 		return nil, err
@@ -63,6 +65,7 @@ func NewTagStore(path string, graph *Graph) (*TagStore, error) {
 	store := &TagStore{
 		path:         abspath,
 		graph:        graph,
+		trustKey:     key,
 		Repositories: make(map[string]Repository),
 		pullingPool:  make(map[string]chan struct{}),
 		pushingPool:  make(map[string]chan struct{}),

graph/tags_unit_test.go

@@ -57,7 +57,7 @@ func mkTestTagStore(root string, t *testing.T) *TagStore {
 	if err != nil {
 		t.Fatal(err)
 	}
-	store, err := NewTagStore(path.Join(root, "tags"), graph)
+	store, err := NewTagStore(path.Join(root, "tags"), graph, nil)
 	if err != nil {
 		t.Fatal(err)
 	}