@@ -171,7 +171,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install notary server

-ENV NOTARY_VERSION v0.2.0

+ENV NOTARY_VERSION docker-v1.11-3

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

@@ -117,7 +117,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install notary server

-ENV NOTARY_VERSION v0.2.0

+ENV NOTARY_VERSION docker-v1.11-3

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

@@ -135,7 +135,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install notary server

-ENV NOTARY_VERSION v0.2.0

+ENV NOTARY_VERSION docker-v1.11-3

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

@@ -127,7 +127,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install notary and notary-server

-ENV NOTARY_VERSION v0.2.0

+ENV NOTARY_VERSION docker-v1.11-3

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

@@ -108,7 +108,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install notary server

-ENV NOTARY_VERSION v0.2.0

+ENV NOTARY_VERSION docker-v1.11-3

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

@@ -202,17 +202,17 @@ func convertTarget(t client.Target) (target, error) {

 func (cli *DockerCli) getPassphraseRetriever() passphrase.Retriever {

 	aliasMap := map[string]string{

-		"root":             "root",

-		"snapshot":         "repository",

-		"targets":          "repository",

-		"targets/releases": "repository",

+		"root":     "root",

+		"snapshot": "repository",

+		"targets":  "repository",

+		"default":  "repository",

 	}

 	baseRetriever := passphrase.PromptRetrieverWithInOut(cli.in, cli.out, aliasMap)

 	env := map[string]string{

-		"root":             os.Getenv("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE"),

-		"snapshot":         os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),

-		"targets":          os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),

-		"targets/releases": os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),

+		"root":     os.Getenv("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE"),

+		"snapshot": os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),

+		"targets":  os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),

+		"default":  os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),

 	}

 	// Backwards compatibility with old env names. We should remove this in 1.10

@@ -222,11 +222,11 @@ func (cli *DockerCli) getPassphraseRetriever() passphrase.Retriever {

 			fmt.Fprintf(cli.err, "[DEPRECATED] The environment variable DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE has been deprecated and will be removed in v1.10. Please use DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE\n")

 		}

 	}

-	if env["snapshot"] == "" || env["targets"] == "" || env["targets/releases"] == "" {

+	if env["snapshot"] == "" || env["targets"] == "" || env["default"] == "" {

 		if passphrase := os.Getenv("DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE"); passphrase != "" {

 			env["snapshot"] = passphrase

 			env["targets"] = passphrase

-			env["targets/releases"] = passphrase

+			env["default"] = passphrase

 			fmt.Fprintf(cli.err, "[DEPRECATED] The environment variable DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE has been deprecated and will be removed in v1.10. Please use DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE\n")

 		}

 	}

@@ -235,6 +235,10 @@ func (cli *DockerCli) getPassphraseRetriever() passphrase.Retriever {

 		if v := env[alias]; v != "" {

 			return v, numAttempts > 1, nil

 		}

+		// For non-root roles, we can also try the "default" alias if it is specified

+		if v := env["default"]; v != "" && alias != data.CanonicalRootRole {

+			return v, numAttempts > 1, nil

+		}

 		return baseRetriever(keyName, alias, createNew, numAttempts)

 	}

 }

@@ -473,7 +477,7 @@ func (cli *DockerCli) trustedPush(repoInfo *registry.RepositoryInfo, tag string,

 			sort.Strings(keys)

 			rootKeyID = keys[0]

 		} else {

-			rootPublicKey, err := repo.CryptoService.Create(data.CanonicalRootRole, data.ECDSAKey)

+			rootPublicKey, err := repo.CryptoService.Create(data.CanonicalRootRole, "", data.ECDSAKey)

 			if err != nil {

 				return err

 			}

@@ -52,7 +52,7 @@ clone git github.com/docker/distribution d06d6d3b093302c02a93153ac7b06ebc0ffd179

 clone git github.com/vbatts/tar-split v0.9.11

 # get desired notary commit, might also need to be updated in Dockerfile

-clone git github.com/docker/notary v0.2.0

+clone git github.com/docker/notary docker-v1.11-3

 clone git google.golang.org/grpc a22b6611561e9f0a3e0919690dd2caf48f14c517 https://github.com/grpc/grpc-go.git

 clone git github.com/miekg/pkcs11 df8ae6ca730422dba20c768ff38ef7d79077a59f

@@ -232,6 +232,7 @@ func notaryClientEnv(cmd *exec.Cmd) {

 		fmt.Sprintf("NOTARY_ROOT_PASSPHRASE=%s", pwd),

 		fmt.Sprintf("NOTARY_TARGETS_PASSPHRASE=%s", pwd),

 		fmt.Sprintf("NOTARY_SNAPSHOT_PASSPHRASE=%s", pwd),

+		fmt.Sprintf("NOTARY_DELEGATION_PASSPHRASE=%s", pwd),

 	}

 	cmd.Env = append(os.Environ(), env...)

 }

new file mode 100644

@@ -0,0 +1,26 @@

+# Changelog

+

+## [v0.2](https://github.com/docker/notary/releases/tag/v0.2.0) 2/24/2016

++ Add support for delegation roles in `notary` server and client

++ Add `notary CLI` commands for managing delegation roles: `notary delegation`

+    + `add`, `list` and `remove` subcommands

++ Enhance `notary CLI` commands for adding targets to delegation roles

+    + `notary add --roles` and `notary remove --roles` to manipulate targets for delegations

++ Support for rotating the snapshot key to one managed by the `notary` server

++ Add consistent download functionality to download metadata and content by checksum

++ Update `docker-compose` configuration to use official mariadb image

+    + deprecate `notarymysql`

+    + default to using a volume for `data` directory

+    + use separate databases for `notary-server` and `notary-signer` with separate users

++ Add `notary CLI` command for changing private key passphrases: `notary key passwd`

++ Enhance `notary CLI` commands for importing and exporting keys

++ Change default `notary CLI` log level to fatal, introduce new verbose (error-level) and debug-level settings

++ Store roles as PEM headers in private keys, incompatible with previous notary v0.1 key format

+    + No longer store keys as `<KEY_ID>_role.key`, instead store as `<KEY_ID>.key`; new private keys from new notary clients will crash old notary clients

++ Support logging as JSON format on server and signer

++ Support mutual TLS between notary client and notary server

+

+## [v0.1](https://github.com/docker/notary/releases/tag/v0.1) 11/15/2015

++ Initial non-alpha `notary` version

++ Implement TUF (the update framework) with support for root, targets, snapshot, and timestamp roles

++ Add PKCS11 interface to store and sign with keys in HSMs (i.e. Yubikey)

@@ -1,4 +1,4 @@

-FROM golang:1.5.1

+FROM golang:1.6.0

 RUN apt-get update && apt-get install -y \

 	libltdl-dev \

@@ -12,6 +12,4 @@ RUN go get golang.org/x/tools/cmd/vet \

 COPY . /go/src/github.com/docker/notary

-ENV GOPATH /go/src/github.com/docker/notary/Godeps/_workspace:$GOPATH

-

 WORKDIR /go/src/github.com/docker/notary

@@ -20,7 +20,7 @@ GO_EXC = go

 NOTARYDIR := /go/src/github.com/docker/notary

 # check to be sure pkcs11 lib is always imported with a build tag

-GO_LIST_PKCS11 := $(shell go list -e -f '{{join .Deps "\n"}}' ./... | xargs go list -e -f '{{if not .Standard}}{{.ImportPath}}{{end}}' | grep -q pkcs11)

+GO_LIST_PKCS11 := $(shell go list -e -f '{{join .Deps "\n"}}' ./... | grep -v /vendor/ | xargs go list -e -f '{{if not .Standard}}{{.ImportPath}}{{end}}' | grep -q pkcs11)

 ifeq ($(GO_LIST_PKCS11),)

 $(info pkcs11 import was not found anywhere without a build tag, yay)

 else

@@ -34,7 +34,7 @@ _space := $(empty) $(empty)

 COVERDIR=.cover

 COVERPROFILE?=$(COVERDIR)/cover.out

 COVERMODE=count

-PKGS ?= $(shell go list ./... | tr '\n' ' ')

+PKGS ?= $(shell go list ./... | grep -v /vendor/ | tr '\n' ' ')

 GO_VERSION = $(shell go version | awk '{print $$3}')

@@ -79,22 +79,22 @@ ${PREFIX}/bin/static/notary-signer: NOTARY_VERSION $(shell find . -type f -name

 	@godep go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS_STATIC} ./cmd/notary-signer

 endif

-vet: 

+vet:

 	@echo "+ $@"

 ifeq ($(shell uname -s), Darwin)

-	@test -z "$(shell find . -iname *test*.go | grep -v _test.go | grep -v Godeps | xargs echo "This file should end with '_test':"  | tee /dev/stderr)"

+	@test -z "$(shell find . -iname *test*.go | grep -v _test.go | grep -v vendor | xargs echo "This file should end with '_test':"  | tee /dev/stderr)"

 else

-	@test -z "$(shell find . -iname *test*.go | grep -v _test.go | grep -v Godeps | xargs -r echo "This file should end with '_test':"  | tee /dev/stderr)"

+	@test -z "$(shell find . -iname *test*.go | grep -v _test.go | grep -v vendor | xargs -r echo "This file should end with '_test':"  | tee /dev/stderr)"

 endif

-	@test -z "$$(go tool vet -printf=false . 2>&1 | grep -v Godeps/_workspace/src/ | tee /dev/stderr)"

+	@test -z "$$(go tool vet -printf=false . 2>&1 | grep -v vendor/ | tee /dev/stderr)"

 fmt:

 	@echo "+ $@"

-	@test -z "$$(gofmt -s -l .| grep -v .pb. | grep -v Godeps/_workspace/src/ | tee /dev/stderr)"

+	@test -z "$$(gofmt -s -l .| grep -v .pb. | grep -v vendor/ | tee /dev/stderr)"

 lint:

 	@echo "+ $@"

-	@test -z "$$(golint ./... | grep -v .pb. | grep -v Godeps/_workspace/src/ | tee /dev/stderr)"

+	@test -z "$$(golint ./... | grep -v .pb. | grep -v vendor/ | tee /dev/stderr)"

 # Requires that the following:

 # go get -u github.com/client9/misspell/cmd/misspell

@@ -104,27 +104,27 @@ lint:

 # misspell target, don't include Godeps, binaries, python tests, or git files

 misspell:

 	@echo "+ $@"

-	@test -z "$$(find . -name '*' | grep -v Godeps/_workspace/src/ | grep -v bin/ | grep -v misc/ | grep -v .git/ | xargs misspell | tee /dev/stderr)"

+	@test -z "$$(find . -name '*' | grep -v vendor/ | grep -v bin/ | grep -v misc/ | grep -v .git/ | xargs misspell | tee /dev/stderr)"

 build:

 	@echo "+ $@"

-	@go build -tags "${NOTARY_BUILDTAGS}" -v ${GO_LDFLAGS} ./...

+	@go build -tags "${NOTARY_BUILDTAGS}" -v ${GO_LDFLAGS} $(PKGS)

 # When running `go test ./...`, it runs all the suites in parallel, which causes

 # problems when running with a yubikey

 test: TESTOPTS =

-test: 

+test:

 	@echo Note: when testing with a yubikey plugged in, make sure to include 'TESTOPTS="-p 1"'

 	@echo "+ $@ $(TESTOPTS)"

 	@echo

-	go test -tags "${NOTARY_BUILDTAGS}" $(TESTOPTS) ./...

+	go test -tags "${NOTARY_BUILDTAGS}" $(TESTOPTS) $(PKGS)

 test-full: TESTOPTS =

 test-full: vet lint

 	@echo Note: when testing with a yubikey plugged in, make sure to include 'TESTOPTS="-p 1"'

 	@echo "+ $@"

 	@echo

-	go test -tags "${NOTARY_BUILDTAGS}" $(TESTOPTS) -v ./...

+	go test -tags "${NOTARY_BUILDTAGS}" $(TESTOPTS) -v $(PKGS)

 protos:

 	@protoc --go_out=plugins=grpc:. proto/*.proto

@@ -139,7 +139,7 @@ define gocover

 $(GO_EXC) test $(OPTS) $(TESTOPTS) -covermode="$(COVERMODE)" -coverprofile="$(COVERDIR)/$(subst /,-,$(1)).$(subst $(_space),.,$(NOTARY_BUILDTAGS)).coverage.txt" "$(1)" || exit 1;

 endef

-gen-cover: 

+gen-cover:

 	@mkdir -p "$(COVERDIR)"

 	$(foreach PKG,$(PKGS),$(call gocover,$(PKG)))

 	rm -f "$(COVERDIR)"/*testutils*.coverage.txt

@@ -179,7 +179,7 @@ mkdir -p ${PREFIX}/cross/$(1)/$(2);

 GOOS=$(1) GOARCH=$(2) CGO_ENABLED=0 go build -o ${PREFIX}/cross/$(1)/$(2)/notary -a -tags "static_build netgo" -installsuffix netgo ${GO_LDFLAGS_STATIC} ./cmd/notary;

 endef

-cross: 

+cross:

 	$(foreach GOARCH,$(GOARCHS),$(foreach GOOS,$(GOOSES),$(call template,$(GOOS),$(GOARCH))))

@@ -39,14 +39,25 @@ func (err ErrRepoNotInitialized) Error() string {

 }

 // ErrInvalidRemoteRole is returned when the server is requested to manage

-// an unsupported key type

+// a key type that is not permitted

 type ErrInvalidRemoteRole struct {

 	Role string

 }

 func (err ErrInvalidRemoteRole) Error() string {

 	return fmt.Sprintf(

-		"notary does not support the server managing the %s key", err.Role)

+		"notary does not permit the server managing the %s key", err.Role)

+}

+

+// ErrInvalidLocalRole is returned when the client wants to manage

+// a key type that is not permitted

+type ErrInvalidLocalRole struct {

+	Role string

+}

+

+func (err ErrInvalidLocalRole) Error() string {

+	return fmt.Sprintf(

+		"notary does not permit the client managing the %s key", err.Role)

 }

 // ErrRepositoryNotExist is returned when an action is taken on a remote

@@ -93,7 +104,7 @@ func repositoryFromKeystores(baseDir, gun, baseURL string, rt http.RoundTripper,

 		return nil, err

 	}

-	cryptoService := cryptoservice.NewCryptoService(gun, keyStores...)

+	cryptoService := cryptoservice.NewCryptoService(keyStores...)

 	nRepo := &NotaryRepository{

 		gun:           gun,

@@ -140,7 +151,7 @@ func NewTarget(targetName string, targetPath string) (*Target, error) {

 		return nil, err

 	}

-	meta, err := data.NewFileMeta(bytes.NewBuffer(b))

+	meta, err := data.NewFileMeta(bytes.NewBuffer(b), data.NotaryDefaultHashes...)

 	if err != nil {

 		return nil, err

 	}

@@ -223,7 +234,7 @@ func (r *NotaryRepository) Initialize(rootKeyID string, serverManagedRoles ...st

 	// make unnecessary network calls

 	for _, role := range locallyManagedKeys {

 		// This is currently hardcoding the keys to ECDSA.

-		key, err := r.CryptoService.Create(role, data.ECDSAKey)

+		key, err := r.CryptoService.Create(role, r.gun, data.ECDSAKey)

 		if err != nil {

 			return err

 		}

@@ -520,6 +531,25 @@ func (r *NotaryRepository) ListRoles() ([]RoleWithSignatures, error) {

 // Publish pushes the local changes in signed material to the remote notary-server

 // Conceptually it performs an operation similar to a `git rebase`

 func (r *NotaryRepository) Publish() error {

+	cl, err := r.GetChangelist()

+	if err != nil {

+		return err

+	}

+	if err = r.publish(cl); err != nil {

+		return err

+	}

+	if err = cl.Clear(""); err != nil {

+		// This is not a critical problem when only a single host is pushing

+		// but will cause weird behaviour if changelist cleanup is failing

+		// and there are multiple hosts writing to the repo.

+		logrus.Warn("Unable to clear changelist. You may want to manually delete the folder ", filepath.Join(r.tufRepoPath, "changelist"))

+	}

+	return nil

+}

+

+// publish pushes the changes in the given changelist to the remote notary-server

+// Conceptually it performs an operation similar to a `git rebase`

+func (r *NotaryRepository) publish(cl changelist.Changelist) error {

 	var initialPublish bool

 	// update first before publishing

 	_, err := r.Update(true)

@@ -543,15 +573,10 @@ func (r *NotaryRepository) Publish() error {

 			initialPublish = true

 		} else {

 			// We could not update, so we cannot publish.

-			logrus.Error("Could not publish Repository: ", err.Error())

+			logrus.Error("Could not publish Repository since we could not update: ", err.Error())

 			return err

 		}

 	}

-

-	cl, err := r.GetChangelist()

-	if err != nil {

-		return err

-	}

 	// apply the changelist to the repo

 	err = applyChangelist(r.tufRepo, cl)

 	if err != nil {

@@ -622,25 +647,14 @@ func (r *NotaryRepository) Publish() error {

 		return err

 	}

-	err = remote.SetMultiMeta(updatedFiles)

-	if err != nil {

-		return err

-	}

-	err = cl.Clear("")

-	if err != nil {

-		// This is not a critical problem when only a single host is pushing

-		// but will cause weird behaviour if changelist cleanup is failing

-		// and there are multiple hosts writing to the repo.

-		logrus.Warn("Unable to clear changelist. You may want to manually delete the folder ", filepath.Join(r.tufRepoPath, "changelist"))

-	}

-	return nil

+	return remote.SetMultiMeta(updatedFiles)

 }

 // bootstrapRepo loads the repository from the local file system.  This attempts

 // to load metadata for all roles.  Since server snapshots are supported,

 // if the snapshot metadata fails to load, that's ok.

 // This can also be unified with some cache reading tools from tuf/client.

-// This assumes that bootstrapRepo is only used by Publish()

+// This assumes that bootstrapRepo is only used by Publish() or RotateKey()

 func (r *NotaryRepository) bootstrapRepo() error {

 	tufRepo := tuf.NewRepo(r.CryptoService)

@@ -858,37 +872,53 @@ func (r *NotaryRepository) validateRoot(rootJSON []byte) (*data.SignedRoot, erro

 // creates and adds one new key or delegates managing the key to the server.

 // These changes are staged in a changelist until publish is called.

 func (r *NotaryRepository) RotateKey(role string, serverManagesKey bool) error {

-	if role == data.CanonicalRootRole || role == data.CanonicalTimestampRole {

-		return fmt.Errorf(

-			"notary does not currently support rotating the %s key", role)

-	}

-	if serverManagesKey && role == data.CanonicalTargetsRole {

+	switch {

+	// We currently support locally or remotely managing snapshot keys...

+	case role == data.CanonicalSnapshotRole:

+		break

+

+	// locally managing targets keys only

+	case role == data.CanonicalTargetsRole && !serverManagesKey:

+		break

+	case role == data.CanonicalTargetsRole && serverManagesKey:

 		return ErrInvalidRemoteRole{Role: data.CanonicalTargetsRole}

+

+	// and remotely managing timestamp keys only

+	case role == data.CanonicalTimestampRole && serverManagesKey:

+		break

+	case role == data.CanonicalTimestampRole && !serverManagesKey:

+		return ErrInvalidLocalRole{Role: data.CanonicalTimestampRole}

+

+	default:

+		return fmt.Errorf("notary does not currently permit rotating the %s key", role)

 	}

 	var (

-		pubKey data.PublicKey

-		err    error

+		pubKey    data.PublicKey

+		err       error

+		errFmtMsg string

 	)

-	if serverManagesKey {

+	switch serverManagesKey {

+	case true:

 		pubKey, err = getRemoteKey(r.baseURL, r.gun, role, r.roundTrip)

-	} else {

-		pubKey, err = r.CryptoService.Create(role, data.ECDSAKey)

+		errFmtMsg = "unable to rotate remote key: %s"

+	default:

+		pubKey, err = r.CryptoService.Create(role, r.gun, data.ECDSAKey)

+		errFmtMsg = "unable to generate key: %s"

 	}

+

 	if err != nil {

-		return err

+		return fmt.Errorf(errFmtMsg, err)

 	}

-	return r.rootFileKeyChange(role, changelist.ActionCreate, pubKey)

-}

-

-func (r *NotaryRepository) rootFileKeyChange(role, action string, key data.PublicKey) error {

-	cl, err := changelist.NewFileChangelist(filepath.Join(r.tufRepoPath, "changelist"))

-	if err != nil {

+	cl := changelist.NewMemChangelist()

+	if err := r.rootFileKeyChange(cl, role, changelist.ActionCreate, pubKey); err != nil {

 		return err

 	}

-	defer cl.Close()

+	return r.publish(cl)

+}

+func (r *NotaryRepository) rootFileKeyChange(cl changelist.Changelist, role, action string, key data.PublicKey) error {

 	kl := make(data.KeyList, 0, 1)

 	kl = append(kl, key)

 	meta := changelist.TufRootData{

@@ -907,11 +937,7 @@ func (r *NotaryRepository) rootFileKeyChange(role, action string, key data.Publi

 		role,

 		metaJSON,

 	)

-	err = cl.Add(c)

-	if err != nil {

-		return err

-	}

-	return nil

+	return cl.Add(c)

 }

 // DeleteTrustData removes the trust data stored for this repo in the TUF cache and certificate store on the client side

@@ -4,7 +4,6 @@ import (

 	"encoding/json"

 	"fmt"

 	"net/http"

-	"path"

 	"strings"

 	"time"

@@ -130,22 +129,6 @@ func changeTargetsDelegation(repo *tuf.Repo, c changelist.Change) error {

 }

-// applies a function repeatedly, falling back on the parent role, until it no

-// longer can

-func doWithRoleFallback(role string, doFunc func(string) error) error {

-	for role == data.CanonicalTargetsRole || data.IsDelegation(role) {

-		err := doFunc(role)

-		if err == nil {

-			return nil

-		}

-		if _, ok := err.(data.ErrInvalidRole); !ok {

-			return err

-		}

-		role = path.Dir(role)

-	}

-	return data.ErrInvalidRole{Role: role}

-}

-

 func changeTargetMeta(repo *tuf.Repo, c changelist.Change) error {

 	var err error

 	switch c.Action() {

@@ -158,21 +141,16 @@ func changeTargetMeta(repo *tuf.Repo, c changelist.Change) error {

 		}

 		files := data.Files{c.Path(): *meta}

-		err = doWithRoleFallback(c.Scope(), func(role string) error {

-			_, e := repo.AddTargets(role, files)

-			return e

-		})

-		if err != nil {

+		// Attempt to add the target to this role

+		if _, err = repo.AddTargets(c.Scope(), files); err != nil {

 			logrus.Errorf("couldn't add target to %s: %s", c.Scope(), err.Error())

 		}

 	case changelist.ActionDelete:

 		logrus.Debug("changelist remove: ", c.Path())

-		err = doWithRoleFallback(c.Scope(), func(role string) error {

-			return repo.RemoveTargets(role, c.Path())

-		})

-		if err != nil {

+		// Attempt to remove the target from this role

+		if err = repo.RemoveTargets(c.Scope(), c.Path()); err != nil {

 			logrus.Errorf("couldn't remove target from %s: %s", c.Scope(), err.Error())

 		}

@@ -20,6 +20,10 @@ const (

 	PubCertPerms = 0755

 	// Sha256HexSize is how big a Sha256 hex is in number of characters

 	Sha256HexSize = 64

+	// SHA256 is the name of SHA256 hash algorithm

+	SHA256 = "sha256"

+	// SHA512 is the name of SHA512 hash algorithm

+	SHA512 = "sha512"

 	// TrustedCertsDir is the directory, under the notary repo base directory, where trusted certs are stored

 	TrustedCertsDir = "trusted_certificates"

 	// PrivDir is the directory, under the notary repo base directory, where private keys are stored

@@ -38,6 +42,13 @@ const (

 	NotaryTargetsExpiry   = 3 * Year

 	NotarySnapshotExpiry  = 3 * Year

 	NotaryTimestampExpiry = 14 * Day

+

+	ConsistentMetadataCacheMaxAge = 30 * Day

+	CurrentMetadataCacheMaxAge    = 5 * time.Minute

+	// CacheMaxAgeLimit is the generally recommended maximum age for Cache-Control headers

+	// (one year, in seconds, since one year is forever in terms of internet

+	// content)

+	CacheMaxAgeLimit = 1 * Year

 )

 // NotaryDefaultExpiries is the construct used to configure the default expiry times of

@@ -5,6 +5,6 @@

 # subpackage's dependencies within the containing package, as well as the

 # subpackage itself.

-DEPENDENCIES="$(go list -f $'{{range $f := .Deps}}{{$f}}\n{{end}}' ${1} | grep ${2})"

+DEPENDENCIES="$(go list -f $'{{range $f := .Deps}}{{$f}}\n{{end}}' ${1} | grep ${2} | grep -v ${2}/vendor)"

 echo "${1} ${DEPENDENCIES}" | xargs echo -n | tr ' ' ','

@@ -3,7 +3,6 @@ package cryptoservice

 import (

 	"crypto/rand"

 	"fmt"

-	"path/filepath"

 	"github.com/Sirupsen/logrus"

 	"github.com/docker/notary/trustmanager"

@@ -17,17 +16,16 @@ const (

 // CryptoService implements Sign and Create, holding a specific GUN and keystore to

 // operate on

 type CryptoService struct {

-	gun       string

 	keyStores []trustmanager.KeyStore

 }

 // NewCryptoService returns an instance of CryptoService

-func NewCryptoService(gun string, keyStores ...trustmanager.KeyStore) *CryptoService {

-	return &CryptoService{gun: gun, keyStores: keyStores}

+func NewCryptoService(keyStores ...trustmanager.KeyStore) *CryptoService {

+	return &CryptoService{keyStores: keyStores}

 }

 // Create is used to generate keys for targets, snapshots and timestamps

-func (cs *CryptoService) Create(role, algorithm string) (data.PublicKey, error) {

+func (cs *CryptoService) Create(role, gun, algorithm string) (data.PublicKey, error) {

 	var privKey data.PrivateKey

 	var err error

@@ -52,16 +50,9 @@ func (cs *CryptoService) Create(role, algorithm string) (data.PublicKey, error)

 	}

 	logrus.Debugf("generated new %s key for role: %s and keyID: %s", algorithm, role, privKey.ID())

-	// Store the private key into our keystore with the name being: /GUN/ID.key with an alias of role

-	var keyPath string

-	if role == data.CanonicalRootRole {

-		keyPath = privKey.ID()

-	} else {

-		keyPath = filepath.Join(cs.gun, privKey.ID())

-	}

-

+	// Store the private key into our keystore

 	for _, ks := range cs.keyStores {

-		err = ks.AddKey(keyPath, role, privKey)

+		err = ks.AddKey(trustmanager.KeyInfo{Role: role, Gun: gun}, privKey)

 		if err == nil {

 			return data.PublicKeyFromPrivate(privKey), nil

 		}

@@ -74,23 +65,16 @@ func (cs *CryptoService) Create(role, algorithm string) (data.PublicKey, error)

 }

 // GetPrivateKey returns a private key and role if present by ID.

-// It tries to get the key first without a GUN (in which case it's a root key).

-// If that fails, try to get the key with the GUN (non-root key).

-// If that fails, then we don't have the key.

 func (cs *CryptoService) GetPrivateKey(keyID string) (k data.PrivateKey, role string, err error) {

-	keyPaths := []string{keyID, filepath.Join(cs.gun, keyID)}

 	for _, ks := range cs.keyStores {

-		for _, keyPath := range keyPaths {

-			k, role, err = ks.GetKey(keyPath)

-			if err == nil {

-				return

-			}

-			switch err.(type) {

-			case trustmanager.ErrPasswordInvalid, trustmanager.ErrAttemptsExceeded:

-				return

-			default:

-				continue

-			}

+		if k, role, err = ks.GetKey(keyID); err == nil {

+			return

+		}

+		switch err.(type) {

+		case trustmanager.ErrPasswordInvalid, trustmanager.ErrAttemptsExceeded:

+			return

+		default:

+			continue

 		}

 	}

 	return // returns whatever the final values were

@@ -105,12 +89,42 @@ func (cs *CryptoService) GetKey(keyID string) data.PublicKey {

 	return data.PublicKeyFromPrivate(privKey)

 }

+// GetKeyInfo returns role and GUN info of a key by ID

+func (cs *CryptoService) GetKeyInfo(keyID string) (trustmanager.KeyInfo, error) {

+	for _, store := range cs.keyStores {

+		if info, err := store.GetKeyInfo(keyID); err == nil {

+			return info, nil

+		}

+	}

+	return trustmanager.KeyInfo{}, fmt.Errorf("Could not find info for keyID %s", keyID)

+}

+

 // RemoveKey deletes a key by ID

 func (cs *CryptoService) RemoveKey(keyID string) (err error) {

-	keyPaths := []string{keyID, filepath.Join(cs.gun, keyID)}

 	for _, ks := range cs.keyStores {

-		for _, keyPath := range keyPaths {

-			ks.RemoveKey(keyPath)

+		ks.RemoveKey(keyID)

+	}

+	return // returns whatever the final values were

+}

+

+// AddKey adds a private key to a specified role.

+// The GUN is inferred from the cryptoservice itself for non-root roles

+func (cs *CryptoService) AddKey(role, gun string, key data.PrivateKey) (err error) {

+	// First check if this key already exists in any of our keystores

+	for _, ks := range cs.keyStores {

+		if keyInfo, err := ks.GetKeyInfo(key.ID()); err == nil {

+			if keyInfo.Role != role {

+				return fmt.Errorf("key with same ID already exists for role: %s", keyInfo.Role)

+			}

+			logrus.Debugf("key with same ID %s and role %s already exists", key.ID(), keyInfo.Role)

+			return nil

+		}

+	}

+	// If the key didn't exist in any of our keystores, add and return on the first successful keystore

+	for _, ks := range cs.keyStores {

+		// Try to add to this keystore, return if successful

+		if err = ks.AddKey(trustmanager.KeyInfo{Role: role, Gun: gun}, key); err == nil {

+			return nil

 		}

 	}

 	return // returns whatever the final values were

@@ -121,7 +135,7 @@ func (cs *CryptoService) ListKeys(role string) []string {

 	var res []string

 	for _, ks := range cs.keyStores {

 		for k, r := range ks.ListKeys() {

-			if r == role {

+			if r.Role == role {

 				res = append(res, k)

 			}

 		}

@@ -134,7 +148,7 @@ func (cs *CryptoService) ListAllKeys() map[string]string {

 	res := make(map[string]string)

 	for _, ks := range cs.keyStores {

 		for k, r := range ks.ListKeys() {

-			res[k] = r // keys are content addressed so don't care about overwrites

+			res[k] = r.Role // keys are content addressed so don't care about overwrites

 		}

 	}

 	return res

@@ -11,10 +11,8 @@ import (

 	"path/filepath"

 	"strings"

-	"github.com/docker/notary"

 	"github.com/docker/notary/passphrase"

 	"github.com/docker/notary/trustmanager"

-	"github.com/docker/notary/tuf/data"

 )

 const zipMadeByUNIX = 3 << 8

@@ -41,9 +39,6 @@ func (cs *CryptoService) ExportKey(dest io.Writer, keyID, role string) error {

 		err      error

 	)

-	if role != data.CanonicalRootRole {

-		keyID = filepath.Join(cs.gun, keyID)

-	}

 	for _, ks := range cs.keyStores {

 		pemBytes, err = ks.ExportKey(keyID)

 		if err != nil {

@@ -67,7 +62,12 @@ func (cs *CryptoService) ExportKey(dest io.Writer, keyID, role string) error {

 // ExportKeyReencrypt exports the specified private key to an io.Writer in

 // PEM format. The key is reencrypted with a new passphrase.

 func (cs *CryptoService) ExportKeyReencrypt(dest io.Writer, keyID string, newPassphraseRetriever passphrase.Retriever) error {

-	privateKey, role, err := cs.GetPrivateKey(keyID)

+	privateKey, _, err := cs.GetPrivateKey(keyID)

+	if err != nil {

+		return err

+	}

+

+	keyInfo, err := cs.GetKeyInfo(keyID)

 	if err != nil {

 		return err

 	}

@@ -81,7 +81,7 @@ func (cs *CryptoService) ExportKeyReencrypt(dest io.Writer, keyID string, newPas

 		return err

 	}

-	err = tempKeyStore.AddKey(keyID, role, privateKey)

+	err = tempKeyStore.AddKey(keyInfo, privateKey)

 	if err != nil {

 		return err

 	}

@@ -100,56 +100,6 @@ func (cs *CryptoService) ExportKeyReencrypt(dest io.Writer, keyID string, newPas

 	return nil

 }

-// ImportRootKey imports a root in PEM format key from an io.Reader

-// It prompts for the key's passphrase to verify the data and to determine

-// the key ID.

-func (cs *CryptoService) ImportRootKey(source io.Reader) error {

-	pemBytes, err := ioutil.ReadAll(source)

-	if err != nil {

-		return err

-	}

-	return cs.ImportRoleKey(pemBytes, data.CanonicalRootRole, nil)

-}

-

-// ImportRoleKey imports a private key in PEM format key from a byte array

-// It prompts for the key's passphrase to verify the data and to determine

-// the key ID.

-func (cs *CryptoService) ImportRoleKey(pemBytes []byte, role string, newPassphraseRetriever passphrase.Retriever) error {

-	var alias string

-	var err error

-	if role == data.CanonicalRootRole {

-		alias = role

-		if err = checkRootKeyIsEncrypted(pemBytes); err != nil {

-			return err

-		}

-	} else {

-		// Parse the private key to get the key ID so that we can import it to the correct location

-		privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, "")

-		if err != nil {

-			privKey, _, err = trustmanager.GetPasswdDecryptBytes(newPassphraseRetriever, pemBytes, role, string(role))

-			if err != nil {

-				return err

-			}

-		}

-		// Since we're importing a non-root role, we need to pass the path as an alias

-		alias = filepath.Join(notary.NonRootKeysSubdir, cs.gun, privKey.ID())

-		// We also need to ensure that the role is properly set in the PEM headers

-		pemBytes, err = trustmanager.KeyToPEM(privKey, role)

-		if err != nil {

-			return err

-		}

-	}

-

-	for _, ks := range cs.keyStores {

-		// don't redeclare err, we want the value carried out of the loop

-		if err = ks.ImportKey(pemBytes, alias); err == nil {

-			return nil //bail on the first keystore we import to

-		}

-	}

-

-	return err

-}

-

 // ExportAllKeys exports all keys to an io.Writer in zip format.

 // newPassphraseRetriever will be used to obtain passphrases to use to encrypt the existing keys.

 func (cs *CryptoService) ExportAllKeys(dest io.Writer, newPassphraseRetriever passphrase.Retriever) error {

@@ -182,7 +132,7 @@ func (cs *CryptoService) ExportAllKeys(dest io.Writer, newPassphraseRetriever pa

 // ImportKeysZip imports keys from a zip file provided as an zip.Reader. The

 // keys in the root_keys directory are left encrypted, but the other keys are

 // decrypted with the specified passphrase.

-func (cs *CryptoService) ImportKeysZip(zipReader zip.Reader) error {

+func (cs *CryptoService) ImportKeysZip(zipReader zip.Reader, retriever passphrase.Retriever) error {

 	// Temporarily store the keys in maps, so we can bail early if there's

 	// an error (for example, wrong passphrase), without leaving the key

 	// store in an inconsistent state

@@ -191,7 +141,6 @@ func (cs *CryptoService) ImportKeysZip(zipReader zip.Reader) error {

 	// Iterate through the files in the archive. Don't add the keys

 	for _, f := range zipReader.File {

 		fNameTrimmed := strings.TrimSuffix(f.Name, filepath.Ext(f.Name))

-

 		rc, err := f.Open()

 		if err != nil {

 			return err

@@ -206,7 +155,7 @@ func (cs *CryptoService) ImportKeysZip(zipReader zip.Reader) error {

 		// Note that using / as a separator is okay here - the zip

 		// package guarantees that the separator will be /

 		if fNameTrimmed[len(fNameTrimmed)-5:] == "_root" {

-			if err = checkRootKeyIsEncrypted(fileBytes); err != nil {

+			if err = CheckRootKeyIsEncrypted(fileBytes); err != nil {

 				return err

 			}

 		}

@@ -214,22 +163,21 @@ func (cs *CryptoService) ImportKeysZip(zipReader zip.Reader) error {

 	}

 	for keyName, pemBytes := range newKeys {

-		if keyName[len(keyName)-5:] == "_root" {

-			keyName = "root"

+		// Get the key role information as well as its data.PrivateKey representation

+		_, keyInfo, err := trustmanager.KeyInfoFromPEM(pemBytes, keyName)

+		if err != nil {

+			return err

 		}

-		// try to import the key to all key stores. As long as one of them

-		// succeeds, consider it a success

-		var tmpErr error

-		for _, ks := range cs.keyStores {

-			if err := ks.ImportKey(pemBytes, keyName); err != nil {

-				tmpErr = err

-			} else {

-				tmpErr = nil

-				break

+		privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, "")

+		if err != nil {

+			privKey, _, err = trustmanager.GetPasswdDecryptBytes(retriever, pemBytes, "", "imported "+keyInfo.Role)

+			if err != nil {

+				return err

 			}

 		}

-		if tmpErr != nil {

-			return tmpErr

+		// Add the key to our cryptoservice, will add to the first successful keystore

+		if err = cs.AddKey(keyInfo.Role, keyInfo.Gun, privKey); err != nil {

+			return err

 		}