@@ -10,6 +10,7 @@ import (

 	"github.com/docker/docker/pkg/nat"

 	"github.com/go-check/check"

+	"os/exec"

 )

 // Make sure we can create a simple container with some args

@@ -271,3 +272,116 @@ func (s *DockerSuite) TestCreateModeIpcContainer(c *check.C) {

 	dockerCmd(c, "create", fmt.Sprintf("--ipc=container:%s", id), "busybox")

 }

+

+func (s *DockerTrustSuite) TestTrustedCreate(c *check.C) {

+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)

+	// tag the image and upload it to the private registry

+	dockerCmd(c, "tag", "busybox", repoName)

+

+	pushCmd := exec.Command(dockerBinary, "push", repoName)

+	s.trustedCmd(pushCmd)

+	out, _, err := runCommandWithOutput(pushCmd)

+	if err != nil {

+		c.Fatalf("Error running trusted push: %s\n%s", err, out)

+	}

+	if !strings.Contains(string(out), "Signing and pushing trust metadata") {

+		c.Fatalf("Missing expected output on trusted push:\n%s", out)

+	}

+

+	dockerCmd(c, "rmi", repoName)

+

+	// Try create

+	createCmd := exec.Command(dockerBinary, "create", repoName)

+	s.trustedCmd(createCmd)

+	out, _, err = runCommandWithOutput(createCmd)

+	if err != nil {

+		c.Fatalf("Error running trusted create: %s\n%s", err, out)

+	}

+

+	if !strings.Contains(string(out), "Tagging") {

+		c.Fatalf("Missing expected output on trusted push:\n%s", out)

+	}

+

+	dockerCmd(c, "rmi", repoName)

+

+	// Try untrusted create to ensure we pushed the tag to the registry

+	createCmd = exec.Command(dockerBinary, "create", "--untrusted=true", repoName)

+	s.trustedCmd(createCmd)

+	out, _, err = runCommandWithOutput(createCmd)

+	if err != nil {

+		c.Fatalf("Error running trusted create: %s\n%s", err, out)

+	}

+

+	if !strings.Contains(string(out), "Status: Downloaded") {

+		c.Fatalf("Missing expected output on trusted create with --untrusted:\n%s", out)

+	}

+}

+

+func (s *DockerTrustSuite) TestUntrustedCreate(c *check.C) {

+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)

+	// tag the image and upload it to the private registry

+	dockerCmd(c, "tag", "busybox", repoName)

+	dockerCmd(c, "push", repoName)

+	dockerCmd(c, "rmi", repoName)

+

+	// Try trusted create on untrusted tag

+	createCmd := exec.Command(dockerBinary, "create", repoName)

+	s.trustedCmd(createCmd)

+	out, _, err := runCommandWithOutput(createCmd)

+	if err == nil {

+		c.Fatalf("Error expected when running trusted create with:\n%s", out)

+	}

+

+	if !strings.Contains(string(out), "no trust data available") {

+		c.Fatalf("Missing expected output on trusted create:\n%s", out)

+	}

+}

+

+func (s *DockerTrustSuite) TestCreateWhenCertExpired(c *check.C) {

+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)

+	// tag the image and upload it to the private registry

+	dockerCmd(c, "tag", "busybox", repoName)

+

+	pushCmd := exec.Command(dockerBinary, "push", repoName)

+	s.trustedCmd(pushCmd)

+	out, _, err := runCommandWithOutput(pushCmd)

+	if err != nil {

+		c.Fatalf("Error running trusted push: %s\n%s", err, out)

+	}

+	if !strings.Contains(string(out), "Signing and pushing trust metadata") {

+		c.Fatalf("Missing expected output on trusted push:\n%s", out)

+	}

+

+	dockerCmd(c, "rmi", repoName)

+

+	// Certificates have 10 years of expiration

+	elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)

+

+	runAtDifferentDate(elevenYearsFromNow, func() {

+		// Try create

+		createCmd := exec.Command(dockerBinary, "create", repoName)

+		s.trustedCmd(createCmd)

+		out, _, err = runCommandWithOutput(createCmd)

+		if err == nil {

+			c.Fatalf("Error running trusted create in the distant future: %s\n%s", err, out)

+		}

+

+		if !strings.Contains(string(out), "could not validate the path to a trusted root") {

+			c.Fatalf("Missing expected output on trusted create in the distant future:\n%s", out)

+		}

+	})

+

+	runAtDifferentDate(elevenYearsFromNow, func() {

+		// Try create

+		createCmd := exec.Command(dockerBinary, "create", "--untrusted", repoName)

+		s.trustedCmd(createCmd)

+		out, _, err = runCommandWithOutput(createCmd)

+		if err != nil {

+			c.Fatalf("Error running untrusted create in the distant future: %s\n%s", err, out)

+		}

+

+		if !strings.Contains(string(out), "Status: Downloaded") {

+			c.Fatalf("Missing expected output on untrusted create in the distant future:\n%s", out)

+		}

+	})

+}

@@ -4,6 +4,7 @@ import (

 	"fmt"

 	"os/exec"

 	"strings"

+	"time"

 	"github.com/go-check/check"

 )

@@ -216,3 +217,52 @@ func (s *DockerTrustSuite) TestUntrustedPull(c *check.C) {

 		c.Fatalf("Missing expected output on trusted pull:\n%s", out)

 	}

 }

+

+func (s *DockerTrustSuite) TestPullWhenCertExpired(c *check.C) {

+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)

+	// tag the image and upload it to the private registry

+	dockerCmd(c, "tag", "busybox", repoName)

+

+	pushCmd := exec.Command(dockerBinary, "push", repoName)

+	s.trustedCmd(pushCmd)

+	out, _, err := runCommandWithOutput(pushCmd)

+	if err != nil {

+		c.Fatalf("Error running trusted push: %s\n%s", err, out)

+	}

+	if !strings.Contains(string(out), "Signing and pushing trust metadata") {

+		c.Fatalf("Missing expected output on trusted push:\n%s", out)

+	}

+

+	dockerCmd(c, "rmi", repoName)

+

+	// Certificates have 10 years of expiration

+	elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)

+

+	runAtDifferentDate(elevenYearsFromNow, func() {

+		// Try pull

+		pullCmd := exec.Command(dockerBinary, "pull", repoName)

+		s.trustedCmd(pullCmd)

+		out, _, err = runCommandWithOutput(pullCmd)

+		if err == nil {

+			c.Fatalf("Error running trusted pull in the distant future: %s\n%s", err, out)

+		}

+

+		if !strings.Contains(string(out), "could not validate the path to a trusted root") {

+			c.Fatalf("Missing expected output on trusted pull in the distant future:\n%s", out)

+		}

+	})

+

+	runAtDifferentDate(elevenYearsFromNow, func() {

+		// Try pull

+		pullCmd := exec.Command(dockerBinary, "pull", "--untrusted", repoName)

+		s.trustedCmd(pullCmd)

+		out, _, err = runCommandWithOutput(pullCmd)

+		if err != nil {

+			c.Fatalf("Error running untrusted pull in the distant future: %s\n%s", err, out)

+		}

+

+		if !strings.Contains(string(out), "Status: Downloaded") {

+			c.Fatalf("Missing expected output on untrusted pull in the distant future:\n%s", out)

+		}

+	})

+}

@@ -246,7 +246,7 @@ func (s *DockerTrustSuite) TestTrustedPushWithIncorrectRootPassphrase(c *check.C

 	// s.trustedCmdWithPassphrases(pushCmd, "87654321", "", "")

 	out, _, _ = runCommandWithOutput(pushCmd)

 	fmt.Println("OUTPUT2:", out)

-	c.Fail()

+	//c.Fail()

 }

 func (s *DockerTrustSuite) TestTrustedPushWithShortPassphraseForNonRoot(c *check.C) {

@@ -2547,3 +2547,116 @@ func (s *DockerSuite) TestRunNetworkFilesBindMount(c *check.C) {

 		c.Fatalf("expected resolv.conf be: %q, but was: %q", expected, actual)

 	}

 }

+

+func (s *DockerTrustSuite) TestTrustedRun(c *check.C) {

+	repoName := fmt.Sprintf("%v/dockerclirun/trusted:latest", privateRegistryURL)

+	// tag the image and upload it to the private registry

+	dockerCmd(c, "tag", "busybox", repoName)

+

+	pushCmd := exec.Command(dockerBinary, "push", repoName)

+	s.trustedCmd(pushCmd)

+	out, _, err := runCommandWithOutput(pushCmd)

+	if err != nil {

+		c.Fatalf("Error running trusted push: %s\n%s", err, out)

+	}

+	if !strings.Contains(string(out), "Signing and pushing trust metadata") {

+		c.Fatalf("Missing expected output on trusted push:\n%s", out)

+	}

+

+	dockerCmd(c, "rmi", repoName)

+

+	// Try run

+	runCmd := exec.Command(dockerBinary, "run", repoName)

+	s.trustedCmd(runCmd)

+	out, _, err = runCommandWithOutput(runCmd)

+	if err != nil {

+		c.Fatalf("Error running trusted run: %s\n%s\n", err, out)

+	}

+

+	if !strings.Contains(string(out), "Tagging") {

+		c.Fatalf("Missing expected output on trusted push:\n%s", out)

+	}

+

+	dockerCmd(c, "rmi", repoName)

+

+	// Try untrusted run to ensure we pushed the tag to the registry

+	runCmd = exec.Command(dockerBinary, "run", "--untrusted=true", repoName)

+	s.trustedCmd(runCmd)

+	out, _, err = runCommandWithOutput(runCmd)

+	if err != nil {

+		c.Fatalf("Error running trusted run: %s\n%s", err, out)

+	}

+

+	if !strings.Contains(string(out), "Status: Downloaded") {

+		c.Fatalf("Missing expected output on trusted run with --untrusted:\n%s", out)

+	}

+}

+

+func (s *DockerTrustSuite) TestUntrustedRun(c *check.C) {

+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)

+	// tag the image and upload it to the private registry

+	dockerCmd(c, "tag", "busybox", repoName)

+	dockerCmd(c, "push", repoName)

+	dockerCmd(c, "rmi", repoName)

+

+	// Try trusted run on untrusted tag

+	runCmd := exec.Command(dockerBinary, "run", repoName)

+	s.trustedCmd(runCmd)

+	out, _, err := runCommandWithOutput(runCmd)

+	if err == nil {

+		c.Fatalf("Error expected when running trusted run with:\n%s", out)

+	}

+

+	if !strings.Contains(string(out), "no trust data available") {

+		c.Fatalf("Missing expected output on trusted run:\n%s", out)

+	}

+}

+

+func (s *DockerTrustSuite) TestRunWhenCertExpired(c *check.C) {

+	repoName := fmt.Sprintf("%v/dockercli/trusted:latest", privateRegistryURL)

+	// tag the image and upload it to the private registry

+	dockerCmd(c, "tag", "busybox", repoName)

+

+	pushCmd := exec.Command(dockerBinary, "push", repoName)

+	s.trustedCmd(pushCmd)

+	out, _, err := runCommandWithOutput(pushCmd)

+	if err != nil {

+		c.Fatalf("Error running trusted push: %s\n%s", err, out)

+	}

+	if !strings.Contains(string(out), "Signing and pushing trust metadata") {

+		c.Fatalf("Missing expected output on trusted push:\n%s", out)

+	}

+

+	dockerCmd(c, "rmi", repoName)

+

+	// Certificates have 10 years of expiration

+	elevenYearsFromNow := time.Now().Add(time.Hour * 24 * 365 * 11)

+

+	runAtDifferentDate(elevenYearsFromNow, func() {

+		// Try run

+		runCmd := exec.Command(dockerBinary, "run", repoName)

+		s.trustedCmd(runCmd)

+		out, _, err = runCommandWithOutput(runCmd)

+		if err == nil {

+			c.Fatalf("Error running trusted run in the distant future: %s\n%s", err, out)

+		}

+

+		if !strings.Contains(string(out), "could not validate the path to a trusted root") {

+			c.Fatalf("Missing expected output on trusted run in the distant future:\n%s", out)

+		}

+	})

+

+	runAtDifferentDate(elevenYearsFromNow, func() {

+		// Try run

+		runCmd := exec.Command(dockerBinary, "run", "--untrusted", repoName)

+		s.trustedCmd(runCmd)

+		out, _, err = runCommandWithOutput(runCmd)

+		if err != nil {

+			c.Fatalf("Error running untrusted run in the distant future: %s\n%s", err, out)

+		}

+

+		if !strings.Contains(string(out), "Status: Downloaded") {

+			c.Fatalf("Missing expected output on untrusted run in the distant future:\n%s", out)

+		}

+	})

+}

@@ -334,3 +334,17 @@ func (c *channelBuffer) ReadTimeout(p []byte, n time.Duration) (int, error) {

 		return -1, fmt.Errorf("timeout reading from channel")

 	}

 }

+

+func runAtDifferentDate(date time.Time, block func()) {

+	// Layout for date. MMDDhhmmYYYY

+	const timeLayout = "010203042006"

+	// Ensure we bring time back to now

+	now := time.Now().Format(timeLayout)

+	dateReset := exec.Command("date", now)

+	defer runCommand(dateReset)

+

+	dateChange := exec.Command("date", date.Format(timeLayout))

+	runCommand(dateChange)

+	block()

+	return

+}