@@ -28,9 +28,9 @@ import (

 	"github.com/docker/docker/pkg/tlsconfig"

 	"github.com/docker/docker/registry"

 	"github.com/docker/notary/client"

-	"github.com/docker/notary/pkg/passphrase"

+	"github.com/docker/notary/passphrase"

 	"github.com/docker/notary/trustmanager"

-	"github.com/endophage/gotuf/data"

+	"github.com/docker/notary/tuf/data"

 )

 var untrusted bool

@@ -342,22 +342,6 @@ func (cli *DockerCli) trustedPull(repoInfo *registry.RepositoryInfo, ref registr

 	return nil

 }

-func selectKey(keys map[string]string) string {

-	if len(keys) == 0 {

-		return ""

-	}

-

-	keyIDs := []string{}

-	for k := range keys {

-		keyIDs = append(keyIDs, k)

-	}

-

-	// TODO(dmcgowan): let user choose if multiple keys, now pick consistently

-	sort.Strings(keyIDs)

-

-	return keyIDs[0]

-}

-

 func targetStream(in io.Writer) (io.WriteCloser, <-chan []target) {

 	r, w := io.Pipe()

 	out := io.MultiWriter(in, w)

@@ -454,23 +438,22 @@ func (cli *DockerCli) trustedPush(repoInfo *registry.RepositoryInfo, tag string,

 		return notaryError(err)

 	}

-	ks := repo.KeyStoreManager

-	keys := ks.RootKeyStore().ListKeys()

+	keys := repo.CryptoService.ListKeys(data.CanonicalRootRole)

-	rootKey := selectKey(keys)

-	if rootKey == "" {

-		rootKey, err = ks.GenRootKey("ecdsa")

+	var rootKeyID string

+	// always select the first root key

+	if len(keys) > 0 {

+		sort.Strings(keys)

+		rootKeyID = keys[0]

+	} else {

+		rootPublicKey, err := repo.CryptoService.Create(data.CanonicalRootRole, data.ECDSAKey)

 		if err != nil {

 			return err

 		}

+		rootKeyID = rootPublicKey.ID()

 	}

-	cryptoService, err := ks.GetRootCryptoService(rootKey)

-	if err != nil {

-		return err

-	}

-

-	if err := repo.Initialize(cryptoService); err != nil {

+	if err := repo.Initialize(rootKeyID); err != nil {

 		return notaryError(err)

 	}

 	fmt.Fprintf(cli.out, "Finished initializing %q\n", repoInfo.CanonicalName)

@@ -76,12 +76,16 @@ clean() {

 	local buildTagCombos=(

 		''

 		'experimental'

+		'pkcs11'

 		"$dockerBuildTags"

 		"daemon $dockerBuildTags"

 		"daemon cgo $dockerBuildTags"

 		"experimental $dockerBuildTags"

 		"experimental daemon $dockerBuildTags"

 		"experimental daemon cgo $dockerBuildTags"

+		"pkcs11 $dockerBuildTags"

+		"pkcs11 daemon $dockerBuildTags"

+		"pkcs11 daemon cgo $dockerBuildTags"

 	)

 	echo

@@ -19,7 +19,7 @@ clone git github.com/microsoft/hcsshim de43b42b5ce14dfdcbeedb0628b0032174d89caa

 clone git github.com/mistifyio/go-zfs v2.1.1

 clone git github.com/tchap/go-patricia v2.1.0

 clone git github.com/vdemeester/shakers 3c10293ce22b900c27acad7b28656196fcc2f73b

-clone git golang.org/x/net 3cffabab72adf04f8e3b01c5baf775361837b5fe https://github.com/golang/net.git

+clone git golang.org/x/net 47990a1ba55743e6ef1affd3a14e5bac8553615d https://github.com/golang/net.git

 #get libnetwork packages

 clone git github.com/docker/libnetwork e8ebc0bf6510343c88d162db08b3d855cbbe75b9

@@ -43,8 +43,9 @@ clone git github.com/boltdb/bolt v1.1.0

 clone git github.com/docker/distribution c6c9194e9c6097f84b0ff468a741086ff7704aa3

 clone git github.com/vbatts/tar-split v0.9.10

-clone git github.com/docker/notary 089d8450d8928aa1c58fd03f09cabbde9bcb4590

-clone git github.com/endophage/gotuf 2df1c8e0a7b7e10ae2113bf37aaa1bf1c1de8cc5

+clone git github.com/docker/notary 45de2828b5e0083bfb4e9a5a781eddb05e2ef9d0

+clone git google.golang.org/grpc 174192fc93efcb188fc8f46ca447f0da606b6885 https://github.com/grpc/grpc-go.git

+clone git github.com/miekg/pkcs11 80f102b5cac759de406949c47f0928b99bd64cdf

 clone git github.com/jfrazelle/go v1.5.1-1

 clone git github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c