@@ -186,7 +186,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install notary and notary-server

-ENV NOTARY_VERSION docker-v1.11-3

+ENV NOTARY_VERSION v0.3.0-RC1

 RUN set -x \

 	&& export GO15VENDOREXPERIMENT=1 \

 	&& export GOPATH="$(mktemp -d)" \

@@ -117,7 +117,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install notary and notary-server

-ENV NOTARY_VERSION docker-v1.11-3

+ENV NOTARY_VERSION v0.3.0-RC1

 RUN set -x \

 	&& export GO15VENDOREXPERIMENT=1 \

 	&& export GOPATH="$(mktemp -d)" \

@@ -128,7 +128,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install notary and notary-server

-ENV NOTARY_VERSION docker-v1.11-3

+ENV NOTARY_VERSION v0.3.0-RC1

 RUN set -x \

 	&& export GO15VENDOREXPERIMENT=1 \

 	&& export GOPATH="$(mktemp -d)" \

@@ -141,7 +141,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install notary and notary-server

-ENV NOTARY_VERSION docker-v1.11-3

+ENV NOTARY_VERSION v0.3.0-RC1

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

@@ -130,7 +130,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install notary and notary-server

-ENV NOTARY_VERSION docker-v1.11-3

+ENV NOTARY_VERSION v0.3.0-RC1

 RUN set -x \

 	&& export GO15VENDOREXPERIMENT=1 \

 	&& export GOPATH="$(mktemp -d)" \

@@ -53,7 +53,7 @@ clone git github.com/docker/distribution 9ec0d742d69f77caa4dd5f49ceb70c3067d39f3

 clone git github.com/vbatts/tar-split v0.9.11

 # get desired notary commit, might also need to be updated in Dockerfile

-clone git github.com/docker/notary docker-v1.11-3

+clone git github.com/docker/notary v0.3.0-RC1

 clone git google.golang.org/grpc a22b6611561e9f0a3e0919690dd2caf48f14c517 https://github.com/grpc/grpc-go.git

 clone git github.com/miekg/pkcs11 df8ae6ca730422dba20c768ff38ef7d79077a59f

@@ -1,15 +1,35 @@

-FROM golang:1.6.0

+FROM golang:1.6.1

 RUN apt-get update && apt-get install -y \

+	curl \

+	clang \

 	libltdl-dev \

 	libsqlite3-dev \

+	patch \

+	tar \

+	xz-utils \

 	--no-install-recommends \

 	&& rm -rf /var/lib/apt/lists/*

-RUN go get golang.org/x/tools/cmd/vet \

-	&& go get golang.org/x/tools/cmd/cover \

-	&& go get github.com/tools/godep

+RUN go get golang.org/x/tools/cmd/cover

-COPY . /go/src/github.com/docker/notary

+# Configure the container for OSX cross compilation

+ENV OSX_SDK MacOSX10.11.sdk

+ENV OSX_CROSS_COMMIT 8aa9b71a394905e6c5f4b59e2b97b87a004658a4

+RUN set -x \

+	&& export OSXCROSS_PATH="/osxcross" \

+	&& git clone https://github.com/tpoechtrager/osxcross.git $OSXCROSS_PATH \

+	&& ( cd $OSXCROSS_PATH && git checkout -q $OSX_CROSS_COMMIT) \

+	&& curl -sSL https://s3.dockerproject.org/darwin/v2/${OSX_SDK}.tar.xz -o "${OSXCROSS_PATH}/tarballs/${OSX_SDK}.tar.xz" \

+	&& UNATTENDED=yes OSX_VERSION_MIN=10.6 ${OSXCROSS_PATH}/build.sh > /dev/null

+ENV PATH /osxcross/target/bin:$PATH

-WORKDIR /go/src/github.com/docker/notary

+ENV NOTARYDIR /go/src/github.com/docker/notary

+

+COPY . ${NOTARYDIR}

+

+ENV GOPATH ${NOTARYDIR}/Godeps/_workspace:$GOPATH

+

+WORKDIR ${NOTARYDIR}

+

+# Note this cannot use alpine because of the MacOSX Cross SDK: the cctools there uses sys/cdefs.h and that cannot be used in alpine: http://wiki.musl-libc.org/wiki/FAQ#Q:_I.27m_trying_to_compile_something_against_musl_and_I_get_error_messages_about_sys.2Fcdefs.h

@@ -13,14 +13,18 @@ endif

 CTIMEVAR=-X $(NOTARY_PKG)/version.GitCommit=$(GITCOMMIT) -X $(NOTARY_PKG)/version.NotaryVersion=$(NOTARY_VERSION)

 GO_LDFLAGS=-ldflags "-w $(CTIMEVAR)"

 GO_LDFLAGS_STATIC=-ldflags "-w $(CTIMEVAR) -extldflags -static"

-GOOSES = darwin freebsd linux

-GOARCHS = amd64

+GOOSES = darwin linux

 NOTARY_BUILDTAGS ?= pkcs11

-GO_EXC = go

 NOTARYDIR := /go/src/github.com/docker/notary

+GO_VERSION := $(shell go version | grep "1\.[6-9]\(\.[0-9]+\)*")

+# check to make sure we have the right version

+ifeq ($(strip $(GO_VERSION)),)

+$(error Bad Go version - please install Go >= 1.6)

+endif

+

 # check to be sure pkcs11 lib is always imported with a build tag

-GO_LIST_PKCS11 := $(shell go list -e -f '{{join .Deps "\n"}}' ./... | grep -v /vendor/ | xargs go list -e -f '{{if not .Standard}}{{.ImportPath}}{{end}}' | grep -q pkcs11)

+GO_LIST_PKCS11 := $(shell go list -tags "${NOTARY_BUILDTAGS}" -e -f '{{join .Deps "\n"}}' ./... | grep -v /vendor/ | xargs go list -e -f '{{if not .Standard}}{{.ImportPath}}{{end}}' | grep -q pkcs11)

 ifeq ($(GO_LIST_PKCS11),)

 $(info pkcs11 import was not found anywhere without a build tag, yay)

 else

@@ -34,7 +38,7 @@ _space := $(empty) $(empty)

 COVERDIR=.cover

 COVERPROFILE?=$(COVERDIR)/cover.out

 COVERMODE=count

-PKGS ?= $(shell go list ./... | grep -v /vendor/ | tr '\n' ' ')

+PKGS ?= $(shell go list -tags "${NOTARY_BUILDTAGS}" ./... | grep -v /vendor/ | tr '\n' ' ')

 GO_VERSION = $(shell go version | awk '{print $$3}')

@@ -53,15 +57,15 @@ version/version.go:

 ${PREFIX}/bin/notary-server: NOTARY_VERSION $(shell find . -type f -name '*.go')

 	@echo "+ $@"

-	@godep go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary-server

+	@go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary-server

 ${PREFIX}/bin/notary: NOTARY_VERSION $(shell find . -type f -name '*.go')

 	@echo "+ $@"

-	@godep go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary

+	@go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary

 ${PREFIX}/bin/notary-signer: NOTARY_VERSION $(shell find . -type f -name '*.go')

 	@echo "+ $@"

-	@godep go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary-signer

+	@go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary-signer

 ifeq ($(shell uname -s),Darwin)

 ${PREFIX}/bin/static/notary-server:

@@ -72,11 +76,11 @@ ${PREFIX}/bin/static/notary-signer:

 else

 ${PREFIX}/bin/static/notary-server: NOTARY_VERSION $(shell find . -type f -name '*.go')

 	@echo "+ $@"

-	@godep go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS_STATIC} ./cmd/notary-server

+	@go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS_STATIC} ./cmd/notary-server

 ${PREFIX}/bin/static/notary-signer: NOTARY_VERSION $(shell find . -type f -name '*.go')

 	@echo "+ $@"

-	@godep go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS_STATIC} ./cmd/notary-signer

+	@go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS_STATIC} ./cmd/notary-signer

 endif

 vet:

@@ -94,7 +98,7 @@ fmt:

 lint:

 	@echo "+ $@"

-	@test -z "$$(golint ./... | grep -v .pb. | grep -v vendor/ | tee /dev/stderr)"

+	@test -z "$(shell find . -type f -name "*.go" -not -path "./vendor/*" -not -name "*.pb.*" -exec golint {} \; | tee /dev/stderr)"

 # Requires that the following:

 # go get -u github.com/client9/misspell/cmd/misspell

@@ -126,6 +130,9 @@ test-full: vet lint

 	@echo

 	go test -tags "${NOTARY_BUILDTAGS}" $(TESTOPTS) -v $(PKGS)

+integration:

+	buildscripts/integrationtest.sh development.yml

+

 protos:

 	@protoc --go_out=plugins=grpc:. proto/*.proto

@@ -136,7 +143,7 @@ protos:

 # be run first

 define gocover

-$(GO_EXC) test $(OPTS) $(TESTOPTS) -covermode="$(COVERMODE)" -coverprofile="$(COVERDIR)/$(subst /,-,$(1)).$(subst $(_space),.,$(NOTARY_BUILDTAGS)).coverage.txt" "$(1)" || exit 1;

+go test $(OPTS) $(TESTOPTS) -covermode="$(COVERMODE)" -coverprofile="$(COVERDIR)/$(subst /,-,$(1)).$(subst $(_space),.,$(NOTARY_BUILDTAGS)).coverage.txt" "$(1)" || exit 1;

 endef

 gen-cover:

@@ -146,15 +153,13 @@ gen-cover:

 # Generates the cover binaries and runs them all in serial, so this can be used

 # run all tests with a yubikey without any problems

-cover: GO_EXC := go

-       OPTS = -tags "${NOTARY_BUILDTAGS}" -coverpkg "$(shell ./coverpkg.sh $(1) $(NOTARY_PKG))"

+cover: OPTS = -tags "${NOTARY_BUILDTAGS}" -coverpkg "$(shell ./coverpkg.sh $(1) $(NOTARY_PKG))"

 cover: gen-cover covmerge

 	@go tool cover -html="$(COVERPROFILE)"

 # Generates the cover binaries and runs them all in serial, so this can be used

 # run all tests with a yubikey without any problems

 ci: OPTS = -tags "${NOTARY_BUILDTAGS}" -race -coverpkg "$(shell ./coverpkg.sh $(1) $(NOTARY_PKG))"

-    GO_EXC := godep go

 # Codecov knows how to merge multiple coverage files, so covmerge is not needed

 ci: gen-cover

@@ -168,21 +173,15 @@ covmerge:

 clean-protos:

 	@rm proto/*.pb.go

+client: ${PREFIX}/bin/notary

+	@echo "+ $@"

+

 binaries: ${PREFIX}/bin/notary-server ${PREFIX}/bin/notary ${PREFIX}/bin/notary-signer

 	@echo "+ $@"

 static: ${PREFIX}/bin/static/notary-server ${PREFIX}/bin/static/notary-signer

 	@echo "+ $@"

-define template

-mkdir -p ${PREFIX}/cross/$(1)/$(2);

-GOOS=$(1) GOARCH=$(2) CGO_ENABLED=0 go build -o ${PREFIX}/cross/$(1)/$(2)/notary -a -tags "static_build netgo" -installsuffix netgo ${GO_LDFLAGS_STATIC} ./cmd/notary;

-endef

-

-cross:

-	$(foreach GOARCH,$(GOARCHS),$(foreach GOOS,$(GOOSES),$(call template,$(GOOS),$(GOARCH))))

-

-

 notary-dockerfile:

 	@docker build --rm --force-rm -t notary .

@@ -197,6 +196,10 @@ docker-images: notary-dockerfile server-dockerfile signer-dockerfile

 shell: notary-dockerfile

 	docker run --rm -it -v $(CURDIR)/cross:$(NOTARYDIR)/cross -v $(CURDIR)/bin:$(NOTARYDIR)/bin notary bash

+cross: notary-dockerfile

+	@rm -rf $(CURDIR)/cross

+	docker run --rm -v $(CURDIR)/cross:$(NOTARYDIR)/cross -e NOTARY_BUILDTAGS=$(NOTARY_BUILDTAGS) notary buildscripts/cross.sh $(GOOSES)

+

 clean:

 	@echo "+ $@"

@@ -1,8 +1,9 @@

-# Notary 

+# Notary

 [![Circle CI](https://circleci.com/gh/docker/notary/tree/master.svg?style=shield)](https://circleci.com/gh/docker/notary/tree/master) [![CodeCov](https://codecov.io/github/docker/notary/coverage.svg?branch=master)](https://codecov.io/github/docker/notary)

 The Notary project comprises a [server](cmd/notary-server) and a [client](cmd/notary) for running and interacting

-with trusted collections.

+with trusted collections.  Please see the [service architecture](docs/service_architecture.md) documentation

+for more information.

 Notary aims to make the internet more secure by making it easy for people to

@@ -21,7 +22,7 @@ received content.

 ## Goals

-Notary is based on [The Update Framework](http://theupdateframework.com/), a secure general design for the problem of software distribution and updates. By using TUF, notary achieves a number of key advantages:

+Notary is based on [The Update Framework](https://www.theupdateframework.com/), a secure general design for the problem of software distribution and updates. By using TUF, notary achieves a number of key advantages:

 * **Survivable Key Compromise**: Content publishers must manage keys in order to sign their content. Signing keys may be compromised or lost so systems must be designed in order to be flexible and recoverable in the case of key compromise. TUF's notion of key roles is utilized to separate responsibilities across a hierarchy of keys such that loss of any particular key (except the root role) by itself is not fatal to the security of the system.

 * **Freshness Guarantees**: Replay attacks are a common problem in designing secure systems, where previously valid payloads are replayed to trick another system. The same problem exists in the software update systems, where old signed can be presented as the most recent. notary makes use of timestamping on publishing so that consumers can know that they are receiving the most up to date content. This is particularly important when dealing with software update where old vulnerable versions could be used to attack users.

@@ -30,165 +31,60 @@ Notary is based on [The Update Framework](http://theupdateframework.com/), a sec

 * **Use of Existing Distribution**: Notary's trust guarantees are not tied at all to particular distribution channels from which content is delivered. Therefore, trust can be added to any existing content delivery mechanism.

 * **Untrusted Mirrors and Transport**: All of the notary metadata can be mirrored and distributed via arbitrary channels.

-# Notary CLI

+## Security

-Notary is a tool for publishing and managing trusted collections of content. Publishers can digitally sign collections and consumers can verify integrity and origin of content. This ability is built on a straightforward key management and signing interface to create signed collections and configure trusted publishers.

+Please see our [service architecture docs](docs/service_architecture.md#threat-model) for more information about our threat model, which details the varying survivability and severities for key compromise as well as mitigations.

-## Using Notary

-Lets try using notary.

+Our last security audit was on July 31, 2015 by NCC ([results](docs/resources/ncc_docker_notary_audit_2015_07_31.pdf)).

-Prerequisites:

-

-- Requirements from the [Compiling Notary Server](#compiling-notary-server) section (such as go 1.5.1)

-- [docker and docker-compose](http://docs.docker.com/compose/install/)

-- [Notary server configuration](#configuring-notary-server)

-

-As setup, let's build notary and then start up a local notary-server (don't forget to add `127.0.0.1 notary-server` to your `/etc/hosts`, or if using docker-machine, add `$(docker-machine ip) notary-server`).

-

-```sh

-make binaries

-docker-compose build

-docker-compose up -d

-```

-

-Note: In order to have notary use the local notary server and development root CA we can load the local development configuration by appending `-c cmd/notary/config.json` to every command. If you would rather not have to use `-c` on every command, copy `cmd/notary/config.json and cmd/notary/root-ca.crt` to `~/.notary`.

-

-

-First, let's initiate a notary collection called `example.com/scripts`

+Any security vulnerabilities can be reported to security@docker.com.

-```sh

-notary init example.com/scripts

-```

+# Getting started with the Notary CLI

-Now, look at the keys you created as a result of initialization

-```sh

-notary key list

-```

+Please get the Notary Client CLI binary from [the official releases page](https://github.com/docker/notary/releases) or you can [build one yourself](#building-notary).

+The version of Notary server and signer should be greater than or equal to Notary CLI's version to ensure feature compatibility (ex: CLI version 0.2, server/signer version >= 0.2), and all official releases are associated with GitHub tags.

-Cool, now add a local file `install.sh` and call it `v1`

-```sh

-notary add example.com/scripts v1 install.sh

-```

+To use the Notary CLI with Docker hub images, please have a look at our

+[getting started docs](docs/getting_started.md).

-Wouldn't it be nice if others could know that you've signed this content? Use `publish` to publish your collection to your default notary-server

-```sh

-notary publish example.com/scripts

-```

+For more advanced usage, please see the

+[advanced usage docs](docs/advanced_usage.md).

-Now, others can pull your trusted collection

-```sh

-notary list example.com/scripts

-```

+To use the CLI against a local Notary server rather than against Docker Hub:

-More importantly, they can verify the content of your script by using `notary verify`:

-```sh

-curl example.com/install.sh | notary verify example.com/scripts v1 | sh

-```

+1. Please ensure that you have [docker and docker-compose](http://docs.docker.com/compose/install/) installed.

+1. `git clone https://github.com/docker/notary.git` and from the cloned repository path,

+    start up a local Notary server and signer and copy the config file and testing certs to your

+    local notary config directory:

-# Notary Server

+    ```sh

+    $ docker-compose build

+    $ docker-compose up -d

+    $ mkdir -p ~/.notary && cp cmd/notary/config.json cmd/notary/root-ca.crt ~/.notary

+    ```

-Notary Server manages TUF data over an HTTP API compatible with the

-[notary client](cmd/notary).

+1. Add `127.0.0.1 notary-server` to your `/etc/hosts`, or if using docker-machine,

+    add `$(docker-machine ip) notary-server`).

-It may be configured to use either JWT or HTTP Basic Auth for authentication.

-Currently it only supports MySQL for storage of the TUF data, we intend to

-expand this to other storage options.

+You can run through the examples in the

+[getting started docs](docs/getting_started.md) and

+[advanced usage docs](docs/advanced_usage.md), but

+without the `-s` (server URL) argument to the `notary` command since the server

+URL is specified already in the configuration, file you copied.

-## Setup for Development

+You can also leave off the `-d ~/.docker/trust` argument if you do not care

+to use `notary` with Docker images.

-The notary repository comes with Dockerfiles and a docker-compose file

-to facilitate development. Simply run the following commands to start

-a notary server with a temporary MySQL database in containers:

-```

-$ docker-compose build

-$ docker-compose up

-```

-

-If you are on Mac OSX with boot2docker or kitematic, you'll need to

-update your hosts file such that the name `notary` is associated with

-the IP address of your VM (for boot2docker, this can be determined

-by running `boot2docker ip`, with kitematic, `echo $DOCKER_HOST` should

-show the IP of the VM). If you are using the default Linux setup,

-you need to add `127.0.0.1 notary` to your hosts file.

-

-## Successfully connecting over TLS

-

-By default notary-server runs with TLS with certificates signed by a local

-CA. In order to be able to successfully connect to it using

-either `curl` or `openssl`, you will have to use the root CA file in `fixtures/root-ca.crt`.

-

-OpenSSL example:

-

-`openssl s_client -connect notary-server:4443 -CAfile fixtures/root-ca.crt`

-

-## Compiling Notary Server

+## Building Notary

 Prerequisites:

-- Go = 1.5.1

+- Go >= 1.6.1

 - [godep](https://github.com/tools/godep) installed

 - libtool development headers installed

+    - Ubuntu: `apt-get install libtool-dev`

+    - CentOS/RedHat: `yum install libtool-ltdl-devel`

+    - Mac OS ([Homebrew](http://brew.sh/)): `brew install libtool`

-Install dependencies by running `godep restore`.

-

-From the root of this git repository, run `make binaries`. This will

-compile the `notary`, `notary-server`, and `notary-signer` applications and

-place them in a `bin` directory at the root of the git repository (the `bin`

-directory is ignored by the .gitignore file).

-

-`notary-signer` depends upon `pkcs11`, which requires that libtool headers be installed (`libtool-dev` on Ubuntu, `libtool-ltdl-devel` on CentOS/RedHat). If you are using Mac OS, you can `brew install libtool`, and run `make binaries` with the following environment variables (assuming a standard installation of Homebrew):

-

-```sh

-export CPATH=/usr/local/include:${CPATH}

-export LIBRARY_PATH=/usr/local/lib:${LIBRARY_PATH}

-```

-

-## Running Notary Server

-

-The `notary-server` application has the following usage:

-

-```

-$ bin/notary-server --help

-usage: bin/notary-serve

-  -config="": Path to configuration file

-  -debug=false: Enable the debugging server on localhost:8080

-```

-

-## Configuring Notary Server

-

-The configuration file must be a json file with the following format:

-

-```json

-{

-    "server": {

-        "addr": ":4443",

-        "tls_cert_file": "./fixtures/notary-server.crt",

-        "tls_key_file": "./fixtures/notary-server.key"

-    },

-    "logging": {

-        "level": 5

-    }

-}

-```

-

-The pem and key provided in fixtures are purely for local development and

-testing. For production, you must create your own keypair and certificate,

-either via the CA of your choice, or a self signed certificate.

-

-If using the pem and key provided in fixtures, either:

-- Add `fixtures/root-ca.crt` to your trusted root certificates

-- Use the default configuration for notary client that loads the CA root for you by using the flag `-c ./cmd/notary/config.json`

-- Disable TLS verification by adding the following option notary configuration file in `~/.notary/config.json`:

-

-            "skipTLSVerify": true

-

-Otherwise, you will see TLS errors or X509 errors upon initializing the

-notary collection:

-

-```

-$ notary list diogomonica.com/openvpn

-* fatal: Get https://notary-server:4443/v2/: x509: certificate signed by unknown authority

-$ notary list diogomonica.com/openvpn -c cmd/notary/config.json

-latest b1df2ad7cbc19f06f08b69b4bcd817649b509f3e5420cdd2245a85144288e26d 4056

-```

+Run `make binaries`, which creates the Notary Client CLI binary at `bin/notary`.

deleted file mode 100644

@@ -1,280 +0,0 @@

-package certs

-

-import (

-	"crypto/x509"

-	"errors"

-	"fmt"

-	"time"

-

-	"github.com/Sirupsen/logrus"

-	"github.com/docker/notary/trustmanager"

-	"github.com/docker/notary/tuf/data"

-	"github.com/docker/notary/tuf/signed"

-)

-

-// ErrValidationFail is returned when there is no valid trusted certificates

-// being served inside of the roots.json

-type ErrValidationFail struct {

-	Reason string

-}

-

-// ErrValidationFail is returned when there is no valid trusted certificates

-// being served inside of the roots.json

-func (err ErrValidationFail) Error() string {

-	return fmt.Sprintf("could not validate the path to a trusted root: %s", err.Reason)

-}

-

-// ErrRootRotationFail is returned when we fail to do a full root key rotation

-// by either failing to add the new root certificate, or delete the old ones

-type ErrRootRotationFail struct {

-	Reason string

-}

-

-// ErrRootRotationFail is returned when we fail to do a full root key rotation

-// by either failing to add the new root certificate, or delete the old ones

-func (err ErrRootRotationFail) Error() string {

-	return fmt.Sprintf("could not rotate trust to a new trusted root: %s", err.Reason)

-}

-

-/*

-ValidateRoot receives a new root, validates its correctness and attempts to

-do root key rotation if needed.

-

-First we list the current trusted certificates we have for a particular GUN. If

-that list is non-empty means that we've already seen this repository before, and

-have a list of trusted certificates for it. In this case, we use this list of

-certificates to attempt to validate this root file.

-

-If the previous validation succeeds, or in the case where we found no trusted

-certificates for this particular GUN, we check the integrity of the root by

-making sure that it is validated by itself. This means that we will attempt to

-validate the root data with the certificates that are included in the root keys

-themselves.

-

-If this last steps succeeds, we attempt to do root rotation, by ensuring that

-we only trust the certificates that are present in the new root.

-

-This mechanism of operation is essentially Trust On First Use (TOFU): if we

-have never seen a certificate for a particular CN, we trust it. If later we see

-a different certificate for that certificate, we return an ErrValidationFailed error.

-

-Note that since we only allow trust data to be downloaded over an HTTPS channel

-we are using the current public PKI to validate the first download of the certificate

-adding an extra layer of security over the normal (SSH style) trust model.

-We shall call this: TOFUS.

-*/

-func ValidateRoot(certStore trustmanager.X509Store, root *data.Signed, gun string) error {

-	logrus.Debugf("entered ValidateRoot with dns: %s", gun)

-	signedRoot, err := data.RootFromSigned(root)

-	if err != nil {

-		return err

-	}

-

-	// Retrieve all the leaf certificates in root for which the CN matches the GUN

-	allValidCerts, err := validRootLeafCerts(signedRoot, gun)

-	if err != nil {

-		logrus.Debugf("error retrieving valid leaf certificates for: %s, %v", gun, err)

-		return &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"}

-	}

-

-	// Retrieve all the trusted certificates that match this gun

-	certsForCN, err := certStore.GetCertificatesByCN(gun)

-	if err != nil {

-		// If the error that we get back is different than ErrNoCertificatesFound

-		// we couldn't check if there are any certificates with this CN already

-		// trusted. Let's take the conservative approach and return a failed validation

-		if _, ok := err.(*trustmanager.ErrNoCertificatesFound); !ok {

-			logrus.Debugf("error retrieving trusted certificates for: %s, %v", gun, err)

-			return &ErrValidationFail{Reason: "unable to retrieve trusted certificates"}

-		}

-	}

-

-	// If we have certificates that match this specific GUN, let's make sure to

-	// use them first to validate that this new root is valid.

-	if len(certsForCN) != 0 {

-		logrus.Debugf("found %d valid root certificates for %s", len(certsForCN), gun)

-		err = signed.VerifyRoot(root, 0, trustmanager.CertsToKeys(certsForCN))

-		if err != nil {

-			logrus.Debugf("failed to verify TUF data for: %s, %v", gun, err)

-			return &ErrValidationFail{Reason: "failed to validate data with current trusted certificates"}

-		}

-	} else {

-		logrus.Debugf("found no currently valid root certificates for %s", gun)

-	}

-

-	// Validate the integrity of the new root (does it have valid signatures)

-	err = signed.VerifyRoot(root, 0, trustmanager.CertsToKeys(allValidCerts))

-	if err != nil {

-		logrus.Debugf("failed to verify TUF data for: %s, %v", gun, err)

-		return &ErrValidationFail{Reason: "failed to validate integrity of roots"}

-	}

-

-	// Getting here means A) we had trusted certificates and both the

-	// old and new validated this root; or B) we had no trusted certificates but

-	// the new set of certificates has integrity (self-signed)

-	logrus.Debugf("entering root certificate rotation for: %s", gun)

-

-	// Do root certificate rotation: we trust only the certs present in the new root

-	// First we add all the new certificates (even if they already exist)

-	for _, cert := range allValidCerts {

-		err := certStore.AddCert(cert)

-		if err != nil {

-			// If the error is already exists we don't fail the rotation

-			if _, ok := err.(*trustmanager.ErrCertExists); ok {

-				logrus.Debugf("ignoring certificate addition to: %s", gun)

-				continue

-			}

-			logrus.Debugf("error adding new trusted certificate for: %s, %v", gun, err)

-		}

-	}

-

-	// Now we delete old certificates that aren't present in the new root

-	for certID, cert := range certsToRemove(certsForCN, allValidCerts) {

-		logrus.Debugf("removing certificate with certID: %s", certID)

-		err = certStore.RemoveCert(cert)

-		if err != nil {

-			logrus.Debugf("failed to remove trusted certificate with keyID: %s, %v", certID, err)

-			return &ErrRootRotationFail{Reason: "failed to rotate root keys"}

-		}

-	}

-

-	logrus.Debugf("Root validation succeeded for %s", gun)

-	return nil

-}

-

-// validRootLeafCerts returns a list of non-exipired, non-sha1 certificates whose

-// Common-Names match the provided GUN

-func validRootLeafCerts(root *data.SignedRoot, gun string) ([]*x509.Certificate, error) {

-	// Get a list of all of the leaf certificates present in root

-	allLeafCerts, _ := parseAllCerts(root)

-	var validLeafCerts []*x509.Certificate

-

-	// Go through every leaf certificate and check that the CN matches the gun

-	for _, cert := range allLeafCerts {

-		// Validate that this leaf certificate has a CN that matches the exact gun

-		if cert.Subject.CommonName != gun {

-			logrus.Debugf("error leaf certificate CN: %s doesn't match the given GUN: %s",

-				cert.Subject.CommonName, gun)

-			continue

-		}

-		// Make sure the certificate is not expired

-		if time.Now().After(cert.NotAfter) {

-			logrus.Debugf("error leaf certificate is expired")

-			continue

-		}

-

-		// We don't allow root certificates that use SHA1

-		if cert.SignatureAlgorithm == x509.SHA1WithRSA ||

-			cert.SignatureAlgorithm == x509.DSAWithSHA1 ||

-			cert.SignatureAlgorithm == x509.ECDSAWithSHA1 {

-

-			logrus.Debugf("error certificate uses deprecated hashing algorithm (SHA1)")

-			continue

-		}

-

-		validLeafCerts = append(validLeafCerts, cert)

-	}

-

-	if len(validLeafCerts) < 1 {

-		logrus.Debugf("didn't find any valid leaf certificates for %s", gun)

-		return nil, errors.New("no valid leaf certificates found in any of the root keys")

-	}

-

-	logrus.Debugf("found %d valid leaf certificates for %s", len(validLeafCerts), gun)

-	return validLeafCerts, nil

-}

-

-// parseAllCerts returns two maps, one with all of the leafCertificates and one

-// with all the intermediate certificates found in signedRoot

-func parseAllCerts(signedRoot *data.SignedRoot) (map[string]*x509.Certificate, map[string][]*x509.Certificate) {

-	leafCerts := make(map[string]*x509.Certificate)

-	intCerts := make(map[string][]*x509.Certificate)

-

-	// Before we loop through all root keys available, make sure any exist

-	rootRoles, ok := signedRoot.Signed.Roles["root"]

-	if !ok {

-		logrus.Debugf("tried to parse certificates from invalid root signed data")

-		return nil, nil

-	}

-

-	logrus.Debugf("found the following root keys: %v", rootRoles.KeyIDs)

-	// Iterate over every keyID for the root role inside of roots.json

-	for _, keyID := range rootRoles.KeyIDs {

-		// check that the key exists in the signed root keys map

-		key, ok := signedRoot.Signed.Keys[keyID]

-		if !ok {

-			logrus.Debugf("error while getting data for keyID: %s", keyID)

-			continue

-		}

-

-		// Decode all the x509 certificates that were bundled with this

-		// Specific root key

-		decodedCerts, err := trustmanager.LoadCertBundleFromPEM(key.Public())

-		if err != nil {

-			logrus.Debugf("error while parsing root certificate with keyID: %s, %v", keyID, err)

-			continue

-		}

-

-		// Get all non-CA certificates in the decoded certificates

-		leafCertList := trustmanager.GetLeafCerts(decodedCerts)

-

-		// If we got no leaf certificates or we got more than one, fail

-		if len(leafCertList) != 1 {

-			logrus.Debugf("invalid chain due to leaf certificate missing or too many leaf certificates for keyID: %s", keyID)

-			continue

-		}

-

-		// Get the ID of the leaf certificate

-		leafCert := leafCertList[0]

-		leafID, err := trustmanager.FingerprintCert(leafCert)

-		if err != nil {

-			logrus.Debugf("error while fingerprinting root certificate with keyID: %s, %v", keyID, err)

-			continue

-		}

-

-		// Store the leaf cert in the map

-		leafCerts[leafID] = leafCert

-

-		// Get all the remainder certificates marked as a CA to be used as intermediates

-		intermediateCerts := trustmanager.GetIntermediateCerts(decodedCerts)

-		intCerts[leafID] = intermediateCerts

-	}

-

-	return leafCerts, intCerts

-}

-

-// certsToRemove returns all the certifificates from oldCerts that aren't present

-// in newCerts

-func certsToRemove(oldCerts, newCerts []*x509.Certificate) map[string]*x509.Certificate {

-	certsToRemove := make(map[string]*x509.Certificate)

-

-	// If no newCerts were provided

-	if len(newCerts) == 0 {

-		return certsToRemove

-	}

-

-	// Populate a map with all the IDs from newCert

-	var newCertMap = make(map[string]struct{})

-	for _, cert := range newCerts {

-		certID, err := trustmanager.FingerprintCert(cert)

-		if err != nil {

-			logrus.Debugf("error while fingerprinting root certificate with keyID: %s, %v", certID, err)

-			continue

-		}

-		newCertMap[certID] = struct{}{}

-	}

-

-	// Iterate over all the old certificates and check to see if we should remove them

-	for _, cert := range oldCerts {

-		certID, err := trustmanager.FingerprintCert(cert)

-		if err != nil {

-			logrus.Debugf("error while fingerprinting root certificate with certID: %s, %v", certID, err)

-			continue

-		}

-		if _, ok := newCertMap[certID]; !ok {

-			certsToRemove[certID] = cert

-		}

-	}

-

-	return certsToRemove

-}

@@ -3,10 +3,18 @@ machine:

   pre:

   # Install gvm

     - bash < <(curl -s -S -L https://raw.githubusercontent.com/moovweb/gvm/1.0.22/binscripts/gvm-installer)

+  # Upgrade docker

+    - sudo curl -L -o /usr/bin/docker 'https://s3-external-1.amazonaws.com/circle-downloads/docker-1.9.1-circleci'

+    - sudo chmod 0755 /usr/bin/docker

   post:

   # Install many go versions

-    - gvm install go1.6 -B --name=stable

+    - gvm install go1.6.1 -B --name=stable

+  # upgrade compose

+    - sudo pip install --upgrade docker-compose

+

+  services:

+    - docker

   environment:

   # Convenient shortcuts to "common" locations

@@ -32,16 +40,13 @@ dependencies:

       cp -R "$CHECKOUT" "$BASE_STABLE"

   override:

-  # Install dependencies for every copied clone/go version

-    - gvm use stable && go get github.com/tools/godep:

-        pwd: $BASE_STABLE

-

-  post:

-  # For the stable go version, additionally install linting and misspell tools

+   # don't use circleci's default dependency installation step of `go get -d -u ./...`

+   # since we already vendor everything; additionally install linting and misspell tools

     - >

       gvm use stable &&

       go get github.com/golang/lint/golint &&

       go get -u github.com/client9/misspell/cmd/misspell

+

 test:

   pre:

   # Output the go versions we are going to test

@@ -70,13 +75,13 @@ test:

   override:

   # Test stable, and report

   # hacking this to be parallel

-    - case $CIRCLE_NODE_INDEX in 0) gvm use stable && NOTARY_BUILDTAGS=pkcs11 make ci ;; 1) gvm use stable && NOTARY_BUILDTAGS=none make ci ;; esac:

+    - case $CIRCLE_NODE_INDEX in 0) gvm use stable && NOTARY_BUILDTAGS=pkcs11 make ci ;; 1) gvm use stable && NOTARY_BUILDTAGS=none make ci ;; 2) gvm use stable && make integration ;; esac:

         parallel: true

         timeout: 600

         pwd: $BASE_STABLE

   post:

   # Report to codecov.io

-    - bash <(curl -s https://codecov.io/bash):

+    - case $CIRCLE_NODE_INDEX in 0) bash <(curl -s https://codecov.io/bash) ;; 1) bash <(curl -s https://codecov.io/bash) ;; esac:

         parallel: true

         pwd: $BASE_STABLE

@@ -2,6 +2,7 @@ package client

 import (

 	"bytes"

+	"crypto/x509"

 	"encoding/json"

 	"fmt"

 	"io/ioutil"

@@ -14,10 +15,10 @@ import (

 	"github.com/Sirupsen/logrus"

 	"github.com/docker/notary"

-	"github.com/docker/notary/certs"

 	"github.com/docker/notary/client/changelist"

 	"github.com/docker/notary/cryptoservice"

 	"github.com/docker/notary/trustmanager"

+	"github.com/docker/notary/trustpinning"

 	"github.com/docker/notary/tuf"

 	tufclient "github.com/docker/notary/tuf/client"

 	"github.com/docker/notary/tuf/data"

@@ -87,13 +88,14 @@ type NotaryRepository struct {

 	tufRepo       *tuf.Repo

 	roundTrip     http.RoundTripper

 	CertStore     trustmanager.X509Store

+	trustPinning  trustpinning.TrustPinConfig

 }

 // repositoryFromKeystores is a helper function for NewNotaryRepository that

 // takes some basic NotaryRepository parameters as well as keystores (in order

 // of usage preference), and returns a NotaryRepository.

 func repositoryFromKeystores(baseDir, gun, baseURL string, rt http.RoundTripper,

-	keyStores []trustmanager.KeyStore) (*NotaryRepository, error) {

+	keyStores []trustmanager.KeyStore, trustPin trustpinning.TrustPinConfig) (*NotaryRepository, error) {

 	certPath := filepath.Join(baseDir, notary.TrustedCertsDir)

 	certStore, err := trustmanager.NewX509FilteredFileStore(

@@ -114,6 +116,7 @@ func repositoryFromKeystores(baseDir, gun, baseURL string, rt http.RoundTripper,

 		CryptoService: cryptoService,

 		roundTrip:     rt,

 		CertStore:     certStore,

+		trustPinning:  trustPin,

 	}

 	fileStore, err := store.NewFilesystemStore(

@@ -159,8 +162,29 @@ func NewTarget(targetName string, targetPath string) (*Target, error) {

 	return &Target{Name: targetName, Hashes: meta.Hashes, Length: meta.Length}, nil

 }

+func rootCertKey(gun string, privKey data.PrivateKey) (*x509.Certificate, data.PublicKey, error) {

+	// Hard-coded policy: the generated certificate expires in 10 years.

+	startTime := time.Now()

+	cert, err := cryptoservice.GenerateCertificate(

+		privKey, gun, startTime, startTime.Add(notary.Year*10))

+	if err != nil {

+		return nil, nil, err