@@ -168,7 +168,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install notary server

-ENV NOTARY_VERSION docker-v1.10-2

+ENV NOTARY_VERSION docker-v1.10-3

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

@@ -284,13 +284,15 @@ func notaryError(repoName string, err error) error {

 	case signed.ErrInvalidKeyType:

 		return fmt.Errorf("Warning: potential malicious behavior - trust data mismatch for remote repository %s: %v", repoName, err)

 	case signed.ErrNoKeys:

-		return fmt.Errorf("Error: could not find signing keys for remote repository %s: %v", repoName, err)

+		return fmt.Errorf("Error: could not find signing keys for remote repository %s, or could not decrypt signing key: %v", repoName, err)

 	case signed.ErrLowVersion:

 		return fmt.Errorf("Warning: potential malicious behavior - trust data version is lower than expected for remote repository %s: %v", repoName, err)

-	case signed.ErrInsufficientSignatures:

+	case signed.ErrRoleThreshold:

 		return fmt.Errorf("Warning: potential malicious behavior - trust data has insufficient signatures for remote repository %s: %v", repoName, err)

 	case client.ErrRepositoryNotExist:

-		return fmt.Errorf("Error: remote trust data repository not initialized for %s: %v", repoName, err)

+		return fmt.Errorf("Error: remote trust data does not exist for %s: %v", repoName, err)

+	case signed.ErrInsufficientSignatures:

+		return fmt.Errorf("Error: could not produce valid signature for %s.  If Yubikey was used, was touch input provided?: %v", repoName, err)

 	}

 	return err

@@ -50,7 +50,7 @@ clone git github.com/docker/distribution cb08de17d74bef86ce6c5abe8b240e282f5750b

 clone git github.com/vbatts/tar-split v0.9.11

 # get desired notary commit, might also need to be updated in Dockerfile

-clone git github.com/docker/notary docker-v1.10-2

+clone git github.com/docker/notary docker-v1.10-3

 clone git google.golang.org/grpc 174192fc93efcb188fc8f46ca447f0da606b6885 https://github.com/grpc/grpc-go.git

 clone git github.com/miekg/pkcs11 80f102b5cac759de406949c47f0928b99bd64cdf

@@ -312,7 +312,7 @@ func (s *DockerTrustSuite) TestUntrustedCreate(c *check.C) {

 	s.trustedCmd(createCmd)

 	out, _, err := runCommandWithOutput(createCmd)

 	c.Assert(err, check.Not(check.IsNil))

-	c.Assert(string(out), checker.Contains, "does not have trust data for", check.Commentf("Missing expected output on trusted create:\n%s", out))

+	c.Assert(string(out), checker.Contains, "trust data unavailable.  Has a notary repository been initialized?", check.Commentf("Missing expected output on trusted create:\n%s", out))

 }

@@ -402,7 +402,7 @@ func (s *DockerTrustSuite) TestTrustedCreateFromBadTrustServer(c *check.C) {

 	s.trustedCmd(createCmd)

 	out, _, err = runCommandWithOutput(createCmd)

 	c.Assert(err, check.Not(check.IsNil))

-	c.Assert(string(out), checker.Contains, "failed to validate data with current trusted certificates", check.Commentf("Missing expected output on trusted push:\n%s", out))

+	c.Assert(string(out), checker.Contains, "valid signatures did not meet threshold", check.Commentf("Missing expected output on trusted push:\n%s", out))

 }

@@ -59,7 +59,7 @@ func (s *DockerTrustSuite) TestUntrustedPull(c *check.C) {

 	out, _, err := runCommandWithOutput(pullCmd)

 	c.Assert(err, check.NotNil, check.Commentf(out))

-	c.Assert(string(out), checker.Contains, "Error: remote trust data repository not initialized", check.Commentf(out))

+	c.Assert(string(out), checker.Contains, "Error: remote trust data does not exist", check.Commentf(out))

 }

 func (s *DockerTrustSuite) TestPullWhenCertExpired(c *check.C) {

@@ -141,7 +141,7 @@ func (s *DockerTrustSuite) TestTrustedPullFromBadTrustServer(c *check.C) {

 	out, _, err = runCommandWithOutput(pullCmd)

 	c.Assert(err, check.NotNil, check.Commentf(out))

-	c.Assert(string(out), checker.Contains, "failed to validate data with current trusted certificates", check.Commentf(out))

+	c.Assert(string(out), checker.Contains, "valid signatures did not meet threshold", check.Commentf(out))

 }

 func (s *DockerTrustSuite) TestTrustedPullWithExpiredSnapshot(c *check.C) {

@@ -3303,7 +3303,7 @@ func (s *DockerTrustSuite) TestTrustedRunFromBadTrustServer(c *check.C) {

 		c.Fatalf("Expected to fail on this run due to different remote data: %s\n%s", err, out)

 	}

-	if !strings.Contains(string(out), "failed to validate data with current trusted certificates") {

+	if !strings.Contains(string(out), "valid signatures did not meet threshold") {

 		c.Fatalf("Missing expected output on trusted push:\n%s", out)

 	}

 }

@@ -19,7 +19,6 @@ Then please do not report your issue here - you should instead report it to [htt

 Then please do not open an issue here yet - you should first try one of the following support forums:

  - irc: #docker-trust on freenode

- - mailing-list: <trust@dockerproject.org> or https://groups.google.com/a/dockerproject.org/forum/#!forum/trust

 ## Reporting an issue properly

deleted file mode 100644

@@ -1,23 +0,0 @@

-FROM golang:1.5.1

-

-RUN apt-get update && apt-get install -y \

-    libltdl-dev \

-    --no-install-recommends \

-    && rm -rf /var/lib/apt/lists/*

-

-EXPOSE 4443

-

-ENV NOTARYPKG github.com/docker/notary

-ENV GOPATH /go/src/${NOTARYPKG}/Godeps/_workspace:$GOPATH

-

-COPY . /go/src/github.com/docker/notary

-

-WORKDIR /go/src/${NOTARYPKG}

-

-RUN go install \

-    -tags pkcs11 \

-    -ldflags "-w -X ${NOTARYPKG}/version.GitCommit=`git rev-parse --short HEAD` -X ${NOTARYPKG}/version.NotaryVersion=`cat NOTARY_VERSION`" \

-    ${NOTARYPKG}/cmd/notary-server

-

-ENTRYPOINT [ "notary-server" ]

-CMD [ "-config=fixtures/server-config-local.json" ]

deleted file mode 100644

@@ -1,41 +0,0 @@

-FROM dockersecurity/golang-softhsm2

-MAINTAINER Diogo Monica "diogo@docker.com"

-

-# CHANGE-ME: Default values for SoftHSM2 PIN and SOPIN, used to initialize the first token

-ENV NOTARY_SIGNER_PIN="1234"

-ENV SOPIN="1234"

-ENV LIBDIR="/usr/local/lib/softhsm/"

-ENV NOTARY_SIGNER_DEFAULT_ALIAS="timestamp_1"

-ENV NOTARY_SIGNER_TIMESTAMP_1="testpassword"

-

-# Install openSC and dependencies

-RUN apt-get update && apt-get install -y \

-    libltdl-dev \

-    libpcsclite-dev \

-    opensc \

-    usbutils \

-    --no-install-recommends \

-    && rm -rf /var/lib/apt/lists/*

-

-# Initialize the SoftHSM2 token on slod 0, using PIN and SOPIN varaibles

-RUN softhsm2-util --init-token --slot 0 --label "test_token" --pin $NOTARY_SIGNER_PIN --so-pin $SOPIN

-

-ENV NOTARYPKG github.com/docker/notary

-ENV GOPATH /go/src/${NOTARYPKG}/Godeps/_workspace:$GOPATH

-

-EXPOSE 4444

-

-# Copy the local repo to the expected go path

-COPY . /go/src/github.com/docker/notary

-

-WORKDIR /go/src/${NOTARYPKG}

-

-# Install notary-signer

-RUN go install \

-    -tags pkcs11 \

-    -ldflags "-w -X ${NOTARYPKG}/version.GitCommit=`git rev-parse --short HEAD` -X ${NOTARYPKG}/version.NotaryVersion=`cat NOTARY_VERSION`" \

-    ${NOTARYPKG}/cmd/notary-signer

-

-

-ENTRYPOINT [ "notary-signer" ]

-CMD [ "-config=fixtures/signer-config-local.json" ]

@@ -16,6 +16,7 @@

 			"dmcgowan",

 			"endophage",

 			"nathanmccauley",

+			"riyazdf",

 		]

 [people]

@@ -50,3 +51,8 @@

 	Name = "Nathan McCauley"

 	Email = "nathan.mccauley@docker.com"

 	GitHub = "nathanmccauley"

+

+	[people.riyazdf]

+	Name = "Riyaz Faizullabhoy"

+	Email = "riyaz@docker.com"

+	GitHub = "riyazdf"

@@ -92,14 +92,21 @@ build: go_version

 	@echo "+ $@"

 	@go build -tags "${NOTARY_BUILDTAGS}" -v ${GO_LDFLAGS} ./...

+# When running `go test ./...`, it runs all the suites in parallel, which causes

+# problems when running with a yubikey

 test: TESTOPTS =

 test: go_version

+	@echo Note: when testing with a yubikey plugged in, make sure to include 'TESTOPTS="-p 1"'

 	@echo "+ $@ $(TESTOPTS)"

+	@echo

 	go test -tags "${NOTARY_BUILDTAGS}" $(TESTOPTS) ./...

+test-full: TESTOPTS =

 test-full: vet lint

+	@echo Note: when testing with a yubikey plugged in, make sure to include 'TESTOPTS="-p 1"'

 	@echo "+ $@"

-	go test -tags "${NOTARY_BUILDTAGS}" -v ./...

+	@echo

+	go test -tags "${NOTARY_BUILDTAGS}" $(TESTOPTS) -v ./...

 protos:

 	@protoc --go_out=plugins=grpc:. proto/*.proto

@@ -118,14 +125,18 @@ gen-cover: go_version

 	@mkdir -p "$(COVERDIR)"

 	$(foreach PKG,$(PKGS),$(call gocover,$(PKG)))

+# Generates the cover binaries and runs them all in serial, so this can be used

+# run all tests with a yubikey without any problems

 cover: GO_EXC := go

        OPTS = -tags "${NOTARY_BUILDTAGS}" -coverpkg "$(shell ./coverpkg.sh $(1) $(NOTARY_PKG))"

 cover: gen-cover covmerge

 	@go tool cover -html="$(COVERPROFILE)"

-# Codecov knows how to merge multiple coverage files

+# Generates the cover binaries and runs them all in serial, so this can be used

+# run all tests with a yubikey without any problems

 ci: OPTS = -tags "${NOTARY_BUILDTAGS}" -race -coverpkg "$(shell ./coverpkg.sh $(1) $(NOTARY_PKG))"

     GO_EXC := godep go

+# Codecov knows how to merge multiple coverage files, so covmerge is not needed

 ci: gen-cover

 covmerge:

@@ -151,10 +162,10 @@ notary-dockerfile:

 	@docker build --rm --force-rm -t notary .

 server-dockerfile:

-	@docker build --rm --force-rm -f Dockerfile.server -t notary-server .

+	@docker build --rm --force-rm -f server.Dockerfile -t notary-server .

 signer-dockerfile:

-	@docker build --rm --force-rm -f Dockerfile.signer -t notary-signer .

+	@docker build --rm --force-rm -f signer.Dockerfile -t notary-signer .

 docker-images: notary-dockerfile server-dockerfile signer-dockerfile

@@ -419,7 +419,7 @@ func (r *NotaryRepository) RemoveTarget(targetName string, roles ...string) erro

 // subtree and also the "targets/x" subtree, as we will defer parsing it until

 // we explicitly reach it in our iteration of the provided list of roles.

 func (r *NotaryRepository) ListTargets(roles ...string) ([]*TargetWithRole, error) {

-	_, err := r.Update()

+	_, err := r.Update(false)

 	if err != nil {

 		return nil, err

 	}

@@ -479,7 +479,7 @@ func (r *NotaryRepository) listSubtree(targets map[string]*TargetWithRole, role

 // will be returned

 // See the IMPORTANT section on ListTargets above. Those roles also apply here.

 func (r *NotaryRepository) GetTargetByName(name string, roles ...string) (*TargetWithRole, error) {

-	c, err := r.Update()

+	c, err := r.Update(false)

 	if err != nil {

 		return nil, err

 	}

@@ -514,7 +514,7 @@ func (r *NotaryRepository) GetChangelist() (changelist.Changelist, error) {

 func (r *NotaryRepository) Publish() error {

 	var initialPublish bool

 	// update first before publishing

-	_, err := r.Update()

+	_, err := r.Update(true)

 	if err != nil {

 		// If the remote is not aware of the repo, then this is being published

 		// for the first time.  Try to load from disk instead for publishing.

@@ -555,13 +555,21 @@ func (r *NotaryRepository) Publish() error {

 	// we send anything to remote

 	updatedFiles := make(map[string][]byte)

-	// check if our root file is nearing expiry. Resign if it is.

-	if nearExpiry(r.tufRepo.Root) || r.tufRepo.Root.Dirty || initialPublish {

+	// check if our root file is nearing expiry or dirty. Resign if it is.  If

+	// root is not dirty but we are publishing for the first time, then just

+	// publish the existing root we have.

+	if nearExpiry(r.tufRepo.Root) || r.tufRepo.Root.Dirty {

 		rootJSON, err := serializeCanonicalRole(r.tufRepo, data.CanonicalRootRole)

 		if err != nil {

 			return err

 		}

 		updatedFiles[data.CanonicalRootRole] = rootJSON

+	} else if initialPublish {

+		rootJSON, err := r.tufRepo.Root.MarshalJSON()

+		if err != nil {

+			return err

+		}

+		updatedFiles[data.CanonicalRootRole] = rootJSON

 	}

 	// iterate through all the targets files - if they are dirty, sign and update

@@ -714,75 +722,94 @@ func (r *NotaryRepository) saveMetadata(ignoreSnapshot bool) error {

 	return r.fileStore.SetMeta(data.CanonicalSnapshotRole, snapshotJSON)

 }

+// returns a properly constructed ErrRepositoryNotExist error based on this

+// repo's information

+func (r *NotaryRepository) errRepositoryNotExist() error {

+	host := r.baseURL

+	parsed, err := url.Parse(r.baseURL)

+	if err == nil {

+		host = parsed.Host // try to exclude the scheme and any paths

+	}

+	return ErrRepositoryNotExist{remote: host, gun: r.gun}

+}

+

 // Update bootstraps a trust anchor (root.json) before updating all the

 // metadata from the repo.

-func (r *NotaryRepository) Update() (*tufclient.Client, error) {

-	c, err := r.bootstrapClient()

+func (r *NotaryRepository) Update(forWrite bool) (*tufclient.Client, error) {

+	c, err := r.bootstrapClient(forWrite)

 	if err != nil {

 		if _, ok := err.(store.ErrMetaNotFound); ok {

-			host := r.baseURL

-			parsed, err := url.Parse(r.baseURL)

-			if err == nil {

-				host = parsed.Host // try to exclude the scheme and any paths

-			}

-			return nil, ErrRepositoryNotExist{remote: host, gun: r.gun}

+			return nil, r.errRepositoryNotExist()

 		}

 		return nil, err

 	}

 	err = c.Update()

 	if err != nil {

+		if notFound, ok := err.(store.ErrMetaNotFound); ok && notFound.Resource == data.CanonicalRootRole {

+			return nil, r.errRepositoryNotExist()

+		}

 		return nil, err

 	}

 	return c, nil

 }

-func (r *NotaryRepository) bootstrapClient() (*tufclient.Client, error) {

-	var rootJSON []byte

-	remote, err := getRemoteStore(r.baseURL, r.gun, r.roundTrip)

-	if err == nil {

-		// if remote store successfully set up, try and get root from remote

-		rootJSON, err = remote.GetMeta("root", maxSize)

+// bootstrapClient attempts to bootstrap a root.json to be used as the trust

+// anchor for a repository. The checkInitialized argument indicates whether

+// we should always attempt to contact the server to determine if the repository

+// is initialized or not. If set to true, we will always attempt to download

+// and return an error if the remote repository errors.

+func (r *NotaryRepository) bootstrapClient(checkInitialized bool) (*tufclient.Client, error) {

+	var (

+		rootJSON   []byte

+		err        error

+		signedRoot *data.SignedRoot

+	)

+	// try to read root from cache first. We will trust this root

+	// until we detect a problem during update which will cause

+	// us to download a new root and perform a rotation.

+	rootJSON, cachedRootErr := r.fileStore.GetMeta("root", maxSize)

+

+	if cachedRootErr == nil {

+		signedRoot, cachedRootErr = r.validateRoot(rootJSON)

 	}

-	// if remote store couldn't be setup, or we failed to get a root from it

-	// load the root from cache (offline operation)

-	if err != nil {

-		if err, ok := err.(store.ErrMetaNotFound); ok {

-			// if the error was MetaNotFound then we successfully contacted

-			// the store and it doesn't know about the repo.

-			return nil, err

-		}

-		result, cacheErr := r.fileStore.GetMeta("root", maxSize)

-		if cacheErr != nil {

-			// if cache didn't return a root, we cannot proceed - just return

-			// the original error.

+	remote, remoteErr := getRemoteStore(r.baseURL, r.gun, r.roundTrip)

+	if remoteErr != nil {

+		logrus.Error(remoteErr)

+	} else if cachedRootErr != nil || checkInitialized {

+		// remoteErr was nil and we had a cachedRootErr (or are specifically

+		// checking for initialization of the repo).

+

+		// if remote store successfully set up, try and get root from remote

+		tmpJSON, err := remote.GetMeta("root", maxSize)

+		if err != nil {

+			// we didn't have a root in cache and were unable to load one from

+			// the server. Nothing we can do but error.

 			return nil, err

 		}

-		rootJSON = result

-		logrus.Debugf(

-			"Using local cache instead of remote due to failure: %s", err.Error())

-	}

-	// can't just unmarshal into SignedRoot because validate root

-	// needs the root.Signed field to still be []byte for signature

-	// validation

-	root := &data.Signed{}

-	err = json.Unmarshal(rootJSON, root)

-	if err != nil {

-		return nil, err

-	}

+		if cachedRootErr != nil {

+			// we always want to use the downloaded root if there was a cache

+			// error.

+			signedRoot, err = r.validateRoot(tmpJSON)

+			if err != nil {

+				return nil, err

+			}

-	err = r.CertManager.ValidateRoot(root, r.gun)

-	if err != nil {

-		return nil, err

+			err = r.fileStore.SetMeta("root", tmpJSON)

+			if err != nil {

+				// if we can't write cache we should still continue, just log error

+				logrus.Errorf("could not save root to cache: %s", err.Error())

+			}

+		}

 	}

 	kdb := keys.NewDB()

 	r.tufRepo = tuf.NewRepo(kdb, r.CryptoService)

-	signedRoot, err := data.RootFromSigned(root)

-	if err != nil {

-		return nil, err

+	if signedRoot == nil {

+		return nil, ErrRepoNotInitialized{}

 	}

+

 	err = r.tufRepo.SetRoot(signedRoot)

 	if err != nil {

 		return nil, err

@@ -796,6 +823,28 @@ func (r *NotaryRepository) bootstrapClient() (*tufclient.Client, error) {

 	), nil

 }

+// validateRoot MUST only be used during bootstrapping. It will only validate

+// signatures of the root based on known keys, not expiry or other metadata.

+// This is so that an out of date root can be loaded to be used in a rotation

+// should the TUF update process detect a problem.

+func (r *NotaryRepository) validateRoot(rootJSON []byte) (*data.SignedRoot, error) {

+	// can't just unmarshal into SignedRoot because validate root

+	// needs the root.Signed field to still be []byte for signature

+	// validation

+	root := &data.Signed{}

+	err := json.Unmarshal(rootJSON, root)

+	if err != nil {

+		return nil, err

+	}

+

+	err = r.CertManager.ValidateRoot(root, r.gun)

+	if err != nil {

+		return nil, err

+	}

+

+	return data.RootFromSigned(root)

+}

+

 // RotateKey removes all existing keys associated with the role, and either

 // creates and adds one new key or delegates managing the key to the server.

 // These changes are staged in a changelist until publish is called.

@@ -17,7 +17,7 @@ import (

 // Use this to initialize remote HTTPStores from the config settings

 func getRemoteStore(baseURL, gun string, rt http.RoundTripper) (store.RemoteStore, error) {

-	return store.NewHTTPStore(

+	s, err := store.NewHTTPStore(

 		baseURL+"/v2/"+gun+"/_trust/tuf/",

 		"",

 		"json",

@@ -25,6 +25,10 @@ func getRemoteStore(baseURL, gun string, rt http.RoundTripper) (store.RemoteStor

 		"key",

 		rt,

 	)

+	if err != nil {

+		return store.OfflineStore{}, err

+	}

+	return s, err

 }

 func applyChangelist(repo *tuf.Repo, cl changelist.Changelist) error {

@@ -26,7 +26,7 @@ func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper,

 	keyStores := []trustmanager.KeyStore{fileKeyStore}

 	yubiKeyStore, _ := yubikey.NewYubiKeyStore(fileKeyStore, retriever)

 	if yubiKeyStore != nil {

-		keyStores = append(keyStores, yubiKeyStore)

+		keyStores = []trustmanager.KeyStore{yubiKeyStore, fileKeyStore}

 	}

 	return repositoryFromKeystores(baseDir, gun, baseURL, rt, keyStores)

@@ -73,9 +73,9 @@ func (cs *CryptoService) Create(role, algorithm string) (data.PublicKey, error)

 }

-// GetPrivateKey returns a private key by ID. It tries to get the key first

-// without a GUN (in which case it's a root key).  If that fails, try to get

-// the key with the GUN (non-root key).

+// GetPrivateKey returns a private key and role if present by ID.

+// It tries to get the key first without a GUN (in which case it's a root key).

+// If that fails, try to get the key with the GUN (non-root key).

 // If that fails, then we don't have the key.

 func (cs *CryptoService) GetPrivateKey(keyID string) (k data.PrivateKey, role string, err error) {

 	keyPaths := []string{keyID, filepath.Join(cs.gun, keyID)}

@@ -1,6 +1,6 @@

 notaryserver:

   build: .

-  dockerfile: Dockerfile.server

+  dockerfile: server.Dockerfile

   links:

    - notarymysql

    - notarysigner

@@ -15,7 +15,7 @@ notarysigner:

    - /dev/bus/usb/003/010:/dev/bus/usb/002/010

    - /var/run/pcscd/pcscd.comm:/var/run/pcscd/pcscd.comm

   build: .

-  dockerfile: Dockerfile.signer

+  dockerfile: signer.Dockerfile

   links:

    - notarymysql

   command: -config=fixtures/signer-config.json

new file mode 100644

@@ -0,0 +1,23 @@

+FROM golang:1.5.1

+

+RUN apt-get update && apt-get install -y \

+    libltdl-dev \

+    --no-install-recommends \

+    && rm -rf /var/lib/apt/lists/*

+

+EXPOSE 4443

+

+ENV NOTARYPKG github.com/docker/notary

+ENV GOPATH /go/src/${NOTARYPKG}/Godeps/_workspace:$GOPATH

+

+COPY . /go/src/github.com/docker/notary

+

+WORKDIR /go/src/${NOTARYPKG}

+

+RUN go install \

+    -tags pkcs11 \

+    -ldflags "-w -X ${NOTARYPKG}/version.GitCommit=`git rev-parse --short HEAD` -X ${NOTARYPKG}/version.NotaryVersion=`cat NOTARY_VERSION`" \

+    ${NOTARYPKG}/cmd/notary-server

+

+ENTRYPOINT [ "notary-server" ]

+CMD [ "-config=fixtures/server-config-local.json" ]

new file mode 100644

@@ -0,0 +1,41 @@

+FROM dockersecurity/golang-softhsm2

+MAINTAINER Diogo Monica "diogo@docker.com"

+

+# CHANGE-ME: Default values for SoftHSM2 PIN and SOPIN, used to initialize the first token

+ENV NOTARY_SIGNER_PIN="1234"

+ENV SOPIN="1234"

+ENV LIBDIR="/usr/local/lib/softhsm/"

+ENV NOTARY_SIGNER_DEFAULT_ALIAS="timestamp_1"

+ENV NOTARY_SIGNER_TIMESTAMP_1="testpassword"

+

+# Install openSC and dependencies

+RUN apt-get update && apt-get install -y \

+    libltdl-dev \

+    libpcsclite-dev \

+    opensc \

+    usbutils \

+    --no-install-recommends \

+    && rm -rf /var/lib/apt/lists/*

+

+# Initialize the SoftHSM2 token on slod 0, using PIN and SOPIN varaibles

+RUN softhsm2-util --init-token --slot 0 --label "test_token" --pin $NOTARY_SIGNER_PIN --so-pin $SOPIN

+

+ENV NOTARYPKG github.com/docker/notary

+ENV GOPATH /go/src/${NOTARYPKG}/Godeps/_workspace:$GOPATH

+

+EXPOSE 4444

+

+# Copy the local repo to the expected go path

+COPY . /go/src/github.com/docker/notary

+

+WORKDIR /go/src/${NOTARYPKG}

+

+# Install notary-signer

+RUN go install \

+    -tags pkcs11 \

+    -ldflags "-w -X ${NOTARYPKG}/version.GitCommit=`git rev-parse --short HEAD` -X ${NOTARYPKG}/version.NotaryVersion=`cat NOTARY_VERSION`" \

+    ${NOTARYPKG}/cmd/notary-signer

+

+

+ENTRYPOINT [ "notary-signer" ]

+CMD [ "-config=fixtures/signer-config-local.json" ]

@@ -129,6 +129,7 @@ func (c Client) checkRoot() error {

 // downloadRoot is responsible for downloading the root.json

 func (c *Client) downloadRoot() error {

+	logrus.Debug("Downloading Root...")

 	role := data.CanonicalRootRole

 	size := maxSize

 	var expectedSha256 []byte

@@ -240,7 +241,7 @@ func (c Client) verifyRoot(role string, s *data.Signed, minVersion int) error {

 // Timestamps are special in that we ALWAYS attempt to download and only

 // use cache if the download fails (and the cache is still valid).

 func (c *Client) downloadTimestamp() error {

-	logrus.Debug("downloadTimestamp")

+	logrus.Debug("Downloading Timestamp...")

 	role := data.CanonicalTimestampRole

 	// We may not have a cached timestamp if this is the first time

@@ -299,7 +300,7 @@ func (c *Client) downloadTimestamp() error {

 // downloadSnapshot is responsible for downloading the snapshot.json

 func (c *Client) downloadSnapshot() error {

-	logrus.Debug("downloadSnapshot")

+	logrus.Debug("Downloading Snapshot...")

 	role := data.CanonicalSnapshotRole

 	if c.local.Timestamp == nil {

 		return ErrMissingMeta{role: "snapshot"}

@@ -372,6 +373,7 @@ func (c *Client) downloadSnapshot() error {

 // It uses a pre-order tree traversal as it's necessary to download parents first

 // to obtain the keys to validate children.

 func (c *Client) downloadTargets(role string) error {

+	logrus.Debug("Downloading Targets...")

 	stack := utils.NewStack()

 	stack.Push(role)

 	for !stack.Empty() {

@@ -43,10 +43,11 @@ func NewRoot(keys map[string]PublicKey, roles map[string]*RootRole, consistent b

 // ToSigned partially serializes a SignedRoot for further signing

 func (r SignedRoot) ToSigned() (*Signed, error) {

-	s, err := json.MarshalCanonical(r.Signed)

+	s, err := defaultSerializer.MarshalCanonical(r.Signed)

 	if err != nil {

 		return nil, err

 	}

+	// cast into a json.RawMessage

 	signed := json.RawMessage{}

 	err = signed.UnmarshalJSON(s)

 	if err != nil {

@@ -60,6 +61,15 @@ func (r SignedRoot) ToSigned() (*Signed, error) {

 	}, nil

 }

+// MarshalJSON returns the serialized form of SignedRoot as bytes

+func (r SignedRoot) MarshalJSON() ([]byte, error) {

+	signed, err := r.ToSigned()

+	if err != nil {

+		return nil, err

+	}

+	return defaultSerializer.Marshal(signed)

+}

+

 // RootFromSigned fully unpacks a Signed object into a SignedRoot

 func RootFromSigned(s *Signed) (*SignedRoot, error) {

 	r := Root{}

new file mode 100644

@@ -0,0 +1,36 @@

+package data

+

+import "github.com/jfrazelle/go/canonical/json"

+

+// Serializer is an interface that can marshal and unmarshal TUF data.  This

+// is expected to be a canonical JSON marshaller

+type serializer interface {

+	MarshalCanonical(from interface{}) ([]byte, error)

+	Marshal(from interface{}) ([]byte, error)

+	Unmarshal(from []byte, to interface{}) error

+}

+

+// CanonicalJSON marshals to and from canonical JSON

+type canonicalJSON struct{}

+

+// MarshalCanonical returns the canonical JSON form of a thing

+func (c canonicalJSON) MarshalCanonical(from interface{}) ([]byte, error) {

+	return json.MarshalCanonical(from)

+}

+

+// Marshal returns the regular non-canonical JSON form of a thing

+func (c canonicalJSON) Marshal(from interface{}) ([]byte, error) {

+	return json.Marshal(from)

+}

+

+// Unmarshal unmarshals some JSON bytes

+func (c canonicalJSON) Unmarshal(from []byte, to interface{}) error {

+	return json.Unmarshal(from, to)

+}

+

+// defaultSerializer is a canonical JSON serializer

+var defaultSerializer serializer = canonicalJSON{}

+

+func setDefaultSerializer(s serializer) {

+	defaultSerializer = s

+}

@@ -95,7 +95,7 @@ func (e *Ed25519) GetKey(keyID string) data.PublicKey {

 	return data.PublicKeyFromPrivate(e.keys[keyID].privKey)

 }

-// GetPrivateKey returns a single private key based on the ID

+// GetPrivateKey returns a single private key and role if present, based on the ID

 func (e *Ed25519) GetPrivateKey(keyID string) (data.PrivateKey, string, error) {

 	if k, ok := e.keys[keyID]; ok {

 		return k.privKey, k.role, nil

@@ -118,12 +118,12 @@ func tryUnmarshalError(resp *http.Response, defaultError error) error {

 	return err

 }

-func translateStatusToError(resp *http.Response) error {

+func translateStatusToError(resp *http.Response, resource string) error {

 	switch resp.StatusCode {

 	case http.StatusOK:

 		return nil

 	case http.StatusNotFound:

-		return ErrMetaNotFound{}

+		return ErrMetaNotFound{Resource: resource}

 	case http.StatusBadRequest:

 		return tryUnmarshalError(resp, ErrInvalidOperation{})

 	default:

@@ -148,7 +148,7 @@ func (s HTTPStore) GetMeta(name string, size int64) ([]byte, error) {

 		return nil, err

 	}

 	defer resp.Body.Close()

-	if err := translateStatusToError(resp); err != nil {

+	if err := translateStatusToError(resp, name); err != nil {

 		logrus.Debugf("received HTTP status %d when requesting %s.", resp.StatusCode, name)

 		return nil, err

 	}

@@ -179,7 +179,7 @@ func (s HTTPStore) SetMeta(name string, blob []byte) error {

 		return err

 	}

 	defer resp.Body.Close()

-	return translateStatusToError(resp)

+	return translateStatusToError(resp, "POST "+name)

 }

 // NewMultiPartMetaRequest builds a request with the provided metadata updates

@@ -223,7 +223,8 @@ func (s HTTPStore) SetMultiMeta(metas map[string][]byte) error {

 		return err

 	}

 	defer resp.Body.Close()

-	return translateStatusToError(resp)

+	// if this 404's something is pretty wrong

+	return translateStatusToError(resp, "POST metadata endpoint")

 }

 func (s HTTPStore) buildMetaURL(name string) (*url.URL, error) {

@@ -271,7 +272,7 @@ func (s HTTPStore) GetTarget(path string) (io.ReadCloser, error) {

 		return nil, err

 	}

 	defer resp.Body.Close()

-	if err := translateStatusToError(resp); err != nil {

+	if err := translateStatusToError(resp, path); err != nil {

 		return nil, err

 	}

 	return resp.Body, nil

@@ -292,7 +293,7 @@ func (s HTTPStore) GetKey(role string) ([]byte, error) {

 		return nil, err

 	}

 	defer resp.Body.Close()

-	if err := translateStatusToError(resp); err != nil {

+	if err := translateStatusToError(resp, role+" key"); err != nil {

 		return nil, err

 	}

 	body, err := ioutil.ReadAll(resp.Body)

new file mode 100644

@@ -0,0 +1,43 @@

+package store

+

+import (

+	"io"

+)

+

+// ErrOffline is used to indicate we are operating offline

+type ErrOffline struct{}

+

+func (e ErrOffline) Error() string {

+	return "client is offline"

+}

+

+var err = ErrOffline{}

+

+// OfflineStore is to be used as a placeholder for a nil store. It simply

+// return ErrOffline for every operation

+type OfflineStore struct{}

+

+// GetMeta return ErrOffline

+func (es OfflineStore) GetMeta(name string, size int64) ([]byte, error) {

+	return nil, err

+}

+

+// SetMeta return ErrOffline

+func (es OfflineStore) SetMeta(name string, blob []byte) error {

+	return err

+}

+

+// SetMultiMeta return ErrOffline

+func (es OfflineStore) SetMultiMeta(map[string][]byte) error {

+	return err

+}

+

+// GetKey return ErrOffline

+func (es OfflineStore) GetKey(role string) ([]byte, error) {

+	return nil, err

+}

+

+// GetTarget return ErrOffline

+func (es OfflineStore) GetTarget(path string) (io.ReadCloser, error) {

+	return nil, err

+}