From 8ceb9d20d66097b90ca3a529da258669ef6b8412 Mon Sep 17 00:00:00 2001 From: Derek McGowan Date: Wed, 7 Jan 2015 14:59:12 -0800 Subject: [PATCH] Update push to sign with the daemon's key when no manifest is given Signed-off-by: Derek McGowan (github: dmcgowan) --- daemon/daemon.go | 12 ++++++------ graph/push.go | 22 +++++++++++++++++++++- graph/tags.go | 5 ++++- graph/tags_unit_test.go | 2 +- 4 files changed, 32 insertions(+), 9 deletions(-) diff --git a/daemon/daemon.go b/daemon/daemon.go index 9f5df4c3c5..8a5db74a33 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -895,8 +895,13 @@ func NewDaemonFromDirectory(config *Config, eng *engine.Engine) (*Daemon, error) return nil, err } + trustKey, err := api.LoadOrCreateTrustKey(config.TrustKeyPath) + if err != nil { + return nil, err + } + log.Debugf("Creating repository list") - repositories, err := graph.NewTagStore(path.Join(config.Root, "repositories-"+driver.String()), g) + repositories, err := graph.NewTagStore(path.Join(config.Root, "repositories-"+driver.String()), g, trustKey) if err != nil { return nil, fmt.Errorf("Couldn't create Tag store: %s", err) } @@ -961,11 +966,6 @@ func NewDaemonFromDirectory(config *Config, eng *engine.Engine) (*Daemon, error) return nil, err } - trustKey, err := api.LoadOrCreateTrustKey(config.TrustKeyPath) - if err != nil { - return nil, err - } - daemon := &Daemon{ ID: trustKey.PublicKey().KeyID(), repository: daemonRepo, diff --git a/graph/push.go b/graph/push.go index 8d51e28798..4d6b1e0838 100644 --- a/graph/push.go +++ b/graph/push.go @@ -16,6 +16,7 @@ import ( "github.com/docker/docker/pkg/archive" "github.com/docker/docker/registry" "github.com/docker/docker/utils" + "github.com/docker/libtrust" ) // Retrieve the all the images to be uploaded in the correct order @@ -308,7 +309,26 @@ func (s *TagStore) CmdPush(job *engine.Job) engine.Status { } if len(manifestBytes) == 0 { - // TODO Create manifest and sign + mBytes, err := s.newManifest(repoInfo.LocalName, repoInfo.RemoteName, tag) + if err != nil { + return job.Error(err) + } + js, err := libtrust.NewJSONSignature(mBytes) + if err != nil { + return job.Error(err) + } + + if err = js.Sign(s.trustKey); err != nil { + return job.Error(err) + } + + signedBody, err := js.PrettySignature("signatures") + if err != nil { + return job.Error(err) + } + log.Infof("Signed manifest using daemon's key: %s", s.trustKey.KeyID()) + + manifestBytes = string(signedBody) } manifest, verified, err := s.verifyManifest(job.Eng, []byte(manifestBytes)) diff --git a/graph/tags.go b/graph/tags.go index 998b447e6c..6bdb296cd1 100644 --- a/graph/tags.go +++ b/graph/tags.go @@ -15,6 +15,7 @@ import ( "github.com/docker/docker/pkg/parsers" "github.com/docker/docker/registry" "github.com/docker/docker/utils" + "github.com/docker/libtrust" ) const DEFAULTTAG = "latest" @@ -27,6 +28,7 @@ type TagStore struct { path string graph *Graph Repositories map[string]Repository + trustKey libtrust.PrivateKey sync.Mutex // FIXME: move push/pull-related fields // to a helper type @@ -54,7 +56,7 @@ func (r Repository) Contains(u Repository) bool { return true } -func NewTagStore(path string, graph *Graph) (*TagStore, error) { +func NewTagStore(path string, graph *Graph, key libtrust.PrivateKey) (*TagStore, error) { abspath, err := filepath.Abs(path) if err != nil { return nil, err @@ -63,6 +65,7 @@ func NewTagStore(path string, graph *Graph) (*TagStore, error) { store := &TagStore{ path: abspath, graph: graph, + trustKey: key, Repositories: make(map[string]Repository), pullingPool: make(map[string]chan struct{}), pushingPool: make(map[string]chan struct{}), diff --git a/graph/tags_unit_test.go b/graph/tags_unit_test.go index 45dad62951..58ad8ed878 100644 --- a/graph/tags_unit_test.go +++ b/graph/tags_unit_test.go @@ -57,7 +57,7 @@ func mkTestTagStore(root string, t *testing.T) *TagStore { if err != nil { t.Fatal(err) } - store, err := NewTagStore(path.Join(root, "tags"), graph) + store, err := NewTagStore(path.Join(root, "tags"), graph, nil) if err != nil { t.Fatal(err) }