@@ -895,8 +895,13 @@ func NewDaemonFromDirectory(config *Config, eng *engine.Engine) (*Daemon, error)

 		return nil, err

 	}

+	trustKey, err := api.LoadOrCreateTrustKey(config.TrustKeyPath)

+	if err != nil {

+		return nil, err

+	}

+

 	log.Debugf("Creating repository list")

-	repositories, err := graph.NewTagStore(path.Join(config.Root, "repositories-"+driver.String()), g)

+	repositories, err := graph.NewTagStore(path.Join(config.Root, "repositories-"+driver.String()), g, trustKey)

 	if err != nil {

 		return nil, fmt.Errorf("Couldn't create Tag store: %s", err)

 	}

@@ -961,11 +966,6 @@ func NewDaemonFromDirectory(config *Config, eng *engine.Engine) (*Daemon, error)

 		return nil, err

 	}

-	trustKey, err := api.LoadOrCreateTrustKey(config.TrustKeyPath)

-	if err != nil {

-		return nil, err

-	}

-

 	daemon := &Daemon{

 		ID:             trustKey.PublicKey().KeyID(),

 		repository:     daemonRepo,

@@ -16,6 +16,7 @@ import (

 	"github.com/docker/docker/pkg/archive"

 	"github.com/docker/docker/registry"

 	"github.com/docker/docker/utils"

+	"github.com/docker/libtrust"

 )

 // Retrieve the all the images to be uploaded in the correct order

@@ -308,7 +309,26 @@ func (s *TagStore) CmdPush(job *engine.Job) engine.Status {

 		}

 		if len(manifestBytes) == 0 {

-			// TODO Create manifest and sign

+			mBytes, err := s.newManifest(repoInfo.LocalName, repoInfo.RemoteName, tag)

+			if err != nil {

+				return job.Error(err)

+			}

+			js, err := libtrust.NewJSONSignature(mBytes)

+			if err != nil {

+				return job.Error(err)

+			}

+

+			if err = js.Sign(s.trustKey); err != nil {

+				return job.Error(err)

+			}

+

+			signedBody, err := js.PrettySignature("signatures")

+			if err != nil {

+				return job.Error(err)

+			}

+			log.Infof("Signed manifest using daemon's key: %s", s.trustKey.KeyID())

+

+			manifestBytes = string(signedBody)

 		}

 		manifest, verified, err := s.verifyManifest(job.Eng, []byte(manifestBytes))

@@ -15,6 +15,7 @@ import (

 	"github.com/docker/docker/pkg/parsers"

 	"github.com/docker/docker/registry"

 	"github.com/docker/docker/utils"

+	"github.com/docker/libtrust"

 )

 const DEFAULTTAG = "latest"

@@ -27,6 +28,7 @@ type TagStore struct {

 	path         string

 	graph        *Graph

 	Repositories map[string]Repository

+	trustKey     libtrust.PrivateKey

 	sync.Mutex

 	// FIXME: move push/pull-related fields

 	// to a helper type

@@ -54,7 +56,7 @@ func (r Repository) Contains(u Repository) bool {

 	return true

 }

-func NewTagStore(path string, graph *Graph) (*TagStore, error) {

+func NewTagStore(path string, graph *Graph, key libtrust.PrivateKey) (*TagStore, error) {

 	abspath, err := filepath.Abs(path)

 	if err != nil {

 		return nil, err

@@ -63,6 +65,7 @@ func NewTagStore(path string, graph *Graph) (*TagStore, error) {

 	store := &TagStore{

 		path:         abspath,

 		graph:        graph,

+		trustKey:     key,

 		Repositories: make(map[string]Repository),

 		pullingPool:  make(map[string]chan struct{}),

 		pushingPool:  make(map[string]chan struct{}),

@@ -57,7 +57,7 @@ func mkTestTagStore(root string, t *testing.T) *TagStore {

 	if err != nil {

 		t.Fatal(err)

 	}

-	store, err := NewTagStore(path.Join(root, "tags"), graph)

+	store, err := NewTagStore(path.Join(root, "tags"), graph, nil)

 	if err != nil {

 		t.Fatal(err)

 	}