@@ -137,7 +137,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install notary server

-ENV NOTARY_COMMIT 77bced079e83d80f40c1f0a544b1a8a3b97fb052

+ENV NOTARY_COMMIT 8e8122eb5528f621afcd4e2854c47302f17392f7

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

@@ -39,8 +39,8 @@ clone git github.com/hashicorp/consul v0.5.2

 clone git github.com/docker/distribution 7dc8d4a26b689bd4892f2f2322dbce0b7119d686

 clone git github.com/vbatts/tar-split v0.9.4

-clone git github.com/docker/notary 77bced079e83d80f40c1f0a544b1a8a3b97fb052

-clone git github.com/endophage/gotuf 374908abc8af7e953a2813c5c2b3944ab625ca68

+clone git github.com/docker/notary 8e8122eb5528f621afcd4e2854c47302f17392f7

+clone git github.com/endophage/gotuf 89ceb27829b9353dfee5ccccf7a3a9bb77008b05

 clone git github.com/tent/canonical-json-go 96e4ba3a7613a1216cbd1badca4efe382adea337

 clone git github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c

@@ -186,7 +186,7 @@ Apache License

       same "printed page" as the copyright notice for easier

       identification within third-party archives.

-   Copyright {yyyy} {name of copyright owner}

+   Copyright 2015 Docker, Inc.

    Licensed under the Apache License, Version 2.0 (the "License");

    you may not use this file except in compliance with the License.

@@ -1,9 +1,19 @@

 package changelist

+// Scopes for TufChanges are simply the TUF roles.

+// Unfortunately because of targets delegations, we can only

+// cover the base roles.

+const (

+	ScopeRoot      = "root"

+	ScopeTargets   = "targets"

+	ScopeSnapshot  = "snapshot"

+	ScopeTimestamp = "timestamp"

+)

+

 // TufChange represents a change to a TUF repo

 type TufChange struct {

 	// Abbreviated because Go doesn't permit a field and method of the same name

-	Actn       int    `json:"action"`

+	Actn       string `json:"action"`

 	Role       string `json:"role"`

 	ChangeType string `json:"type"`

 	ChangePath string `json:"path"`

@@ -11,7 +21,7 @@ type TufChange struct {

 }

 // NewTufChange initializes a tufChange object

-func NewTufChange(action int, role, changeType, changePath string, content []byte) *TufChange {

+func NewTufChange(action string, role, changeType, changePath string, content []byte) *TufChange {

 	return &TufChange{

 		Actn:       action,

 		Role:       role,

@@ -22,7 +32,7 @@ func NewTufChange(action int, role, changeType, changePath string, content []byt

 }

 // Action return c.Actn

-func (c TufChange) Action() int {

+func (c TufChange) Action() string {

 	return c.Actn

 }

@@ -5,6 +5,11 @@ type memChangelist struct {

 	changes []Change

 }

+// NewMemChangelist instantiates a new in-memory changelist

+func NewMemChangelist() Changelist {

+	return &memChangelist{}

+}

+

 // List returns a list of Changes

 func (cl memChangelist) List() []Change {

 	return cl.changes

new file mode 100644

@@ -0,0 +1,114 @@

+package changelist

+

+import (

+	"encoding/json"

+	"fmt"

+	"io/ioutil"

+	"os"

+	"path"

+	"sort"

+	"time"

+

+	"github.com/Sirupsen/logrus"

+	"github.com/docker/distribution/uuid"

+)

+

+// FileChangelist stores all the changes as files

+type FileChangelist struct {

+	dir string

+}

+

+// NewFileChangelist is a convenience method for returning FileChangeLists

+func NewFileChangelist(dir string) (*FileChangelist, error) {

+	logrus.Debug("Making dir path: ", dir)

+	err := os.MkdirAll(dir, 0700)

+	if err != nil {

+		return nil, err

+	}

+	return &FileChangelist{dir: dir}, nil

+}

+

+// List returns a list of sorted changes

+func (cl FileChangelist) List() []Change {

+	var changes []Change

+	dir, err := os.Open(cl.dir)

+	if err != nil {

+		return changes

+	}

+	defer dir.Close()

+	fileInfos, err := dir.Readdir(0)

+	if err != nil {

+		return changes

+	}

+	sort.Sort(fileChanges(fileInfos))

+	for _, f := range fileInfos {

+		if f.IsDir() {

+			continue

+		}

+		raw, err := ioutil.ReadFile(path.Join(cl.dir, f.Name()))

+		if err != nil {

+			logrus.Warn(err.Error())

+			continue

+		}

+		c := &TufChange{}

+		err = json.Unmarshal(raw, c)

+		if err != nil {

+			logrus.Warn(err.Error())

+			continue

+		}

+		changes = append(changes, c)

+	}

+	return changes

+}

+

+// Add adds a change to the file change list

+func (cl FileChangelist) Add(c Change) error {

+	cJSON, err := json.Marshal(c)

+	if err != nil {

+		return err

+	}

+	filename := fmt.Sprintf("%020d_%s.change", time.Now().UnixNano(), uuid.Generate())

+	return ioutil.WriteFile(path.Join(cl.dir, filename), cJSON, 0644)

+}

+

+// Clear clears the change list

+func (cl FileChangelist) Clear(archive string) error {

+	dir, err := os.Open(cl.dir)

+	if err != nil {

+		return err

+	}

+	defer dir.Close()

+	files, err := dir.Readdir(0)

+	if err != nil {

+		return err

+	}

+	for _, f := range files {

+		os.Remove(path.Join(cl.dir, f.Name()))

+	}

+	return nil

+}

+

+// Close is a no-op

+func (cl FileChangelist) Close() error {

+	// Nothing to do here

+	return nil

+}

+

+type fileChanges []os.FileInfo

+

+// Len returns the length of a file change list

+func (cs fileChanges) Len() int {

+	return len(cs)

+}

+

+// Less compares the names of two different file changes

+func (cs fileChanges) Less(i, j int) bool {

+	return cs[i].Name() < cs[j].Name()

+}

+

+// Swap swaps the position of two file changes

+func (cs fileChanges) Swap(i, j int) {

+	tmp := cs[i]

+	cs[i] = cs[j]

+	cs[j] = tmp

+}

deleted file mode 100644

@@ -1,114 +0,0 @@

-package changelist

-

-import (

-	"encoding/json"

-	"fmt"

-	"io/ioutil"

-	"os"

-	"path"

-	"sort"

-	"time"

-

-	"github.com/Sirupsen/logrus"

-	"github.com/docker/distribution/uuid"

-)

-

-// FileChangelist stores all the changes as files

-type FileChangelist struct {

-	dir string

-}

-

-// NewFileChangelist is a convenience method for returning FileChangeLists

-func NewFileChangelist(dir string) (*FileChangelist, error) {

-	logrus.Debug("Making dir path: ", dir)

-	err := os.MkdirAll(dir, 0700)

-	if err != nil {

-		return nil, err

-	}

-	return &FileChangelist{dir: dir}, nil

-}

-

-// List returns a list of sorted changes

-func (cl FileChangelist) List() []Change {

-	var changes []Change

-	dir, err := os.Open(cl.dir)

-	if err != nil {

-		return changes

-	}

-	defer dir.Close()

-	fileInfos, err := dir.Readdir(0)

-	if err != nil {

-		return changes

-	}

-	sort.Sort(fileChanges(fileInfos))

-	for _, f := range fileInfos {

-		if f.IsDir() {

-			continue

-		}

-		raw, err := ioutil.ReadFile(path.Join(cl.dir, f.Name()))

-		if err != nil {

-			logrus.Warn(err.Error())

-			continue

-		}

-		c := &TufChange{}

-		err = json.Unmarshal(raw, c)

-		if err != nil {

-			logrus.Warn(err.Error())

-			continue

-		}

-		changes = append(changes, c)

-	}

-	return changes

-}

-

-// Add adds a change to the file change list

-func (cl FileChangelist) Add(c Change) error {

-	cJSON, err := json.Marshal(c)

-	if err != nil {

-		return err

-	}

-	filename := fmt.Sprintf("%020d_%s.change", time.Now().UnixNano(), uuid.Generate())

-	return ioutil.WriteFile(path.Join(cl.dir, filename), cJSON, 0644)

-}

-

-// Clear clears the change list

-func (cl FileChangelist) Clear(archive string) error {

-	dir, err := os.Open(cl.dir)

-	if err != nil {

-		return err

-	}

-	defer dir.Close()

-	files, err := dir.Readdir(0)

-	if err != nil {

-		return err

-	}

-	for _, f := range files {

-		os.Remove(path.Join(cl.dir, f.Name()))

-	}

-	return nil

-}

-

-// Close is a no-op

-func (cl FileChangelist) Close() error {

-	// Nothing to do here

-	return nil

-}

-

-type fileChanges []os.FileInfo

-

-// Len returns the length of a file change list

-func (cs fileChanges) Len() int {

-	return len(cs)

-}

-

-// Less compares the names of two different file changes

-func (cs fileChanges) Less(i, j int) bool {

-	return cs[i].Name() < cs[j].Name()

-}

-

-// Swap swaps the position of two file changes

-func (cs fileChanges) Swap(i, j int) {

-	tmp := cs[i]

-	cs[i] = cs[j]

-	cs[j] = tmp

-}

@@ -22,17 +22,17 @@ type Changelist interface {

 const (

 	// ActionCreate represents a Create action

-	ActionCreate = iota

+	ActionCreate = "create"

 	// ActionUpdate represents an Update action

-	ActionUpdate

+	ActionUpdate = "update"

 	// ActionDelete represents a Delete action

-	ActionDelete

+	ActionDelete = "delete"

 )

 // Change is the interface for a TUF Change

 type Change interface {

 	// "create","update", or "delete"

-	Action() int

+	Action() string

 	// Where the change should be made.

 	// For TUF this will be the role

@@ -250,7 +250,7 @@ func (r *NotaryRepository) AddTarget(target *Target) error {

 		return err

 	}

-	c := changelist.NewTufChange(changelist.ActionCreate, "targets", "target", target.Name, metaJSON)

+	c := changelist.NewTufChange(changelist.ActionCreate, changelist.ScopeTargets, "target", target.Name, metaJSON)

 	err = cl.Add(c)

 	if err != nil {

 		return err

@@ -258,6 +258,22 @@ func (r *NotaryRepository) AddTarget(target *Target) error {

 	return cl.Close()

 }

+// RemoveTarget creates a new changelist entry to remove a target from the repository

+// when the changelist gets applied at publish time

+func (r *NotaryRepository) RemoveTarget(targetName string) error {

+	cl, err := changelist.NewFileChangelist(filepath.Join(r.tufRepoPath, "changelist"))

+	if err != nil {

+		return err

+	}

+	logrus.Debugf("Removing target \"%s\"", targetName)

+	c := changelist.NewTufChange(changelist.ActionDelete, changelist.ScopeTargets, "target", targetName, nil)

+	err = cl.Add(c)

+	if err != nil {

+		return err

+	}

+	return nil

+}

+

 // ListTargets lists all targets for the current repository

 func (r *NotaryRepository) ListTargets() ([]*Target, error) {

 	c, err := r.bootstrapClient()

@@ -5,6 +5,7 @@ import (

 	"net/http"

 	"time"

+	"github.com/Sirupsen/logrus"

 	"github.com/docker/notary/client/changelist"

 	"github.com/endophage/gotuf"

 	"github.com/endophage/gotuf/data"

@@ -26,13 +27,16 @@ func getRemoteStore(baseURL, gun string, rt http.RoundTripper) (store.RemoteStor

 func applyChangelist(repo *tuf.TufRepo, cl changelist.Changelist) error {

 	changes := cl.List()

-	var err error

+	logrus.Debugf("applying %d changes", len(changes))

 	for _, c := range changes {

-		if c.Scope() == "targets" {

-			applyTargetsChange(repo, c)

-		}

-		if err != nil {

-			return err

+		switch c.Scope() {

+		case changelist.ScopeTargets:

+			err := applyTargetsChange(repo, c)

+			if err != nil {

+				return err

+			}

+		default:

+			logrus.Debug("scope not supported: ", c.Scope())

 		}

 	}

 	return nil

@@ -40,16 +44,21 @@ func applyChangelist(repo *tuf.TufRepo, cl changelist.Changelist) error {

 func applyTargetsChange(repo *tuf.TufRepo, c changelist.Change) error {

 	var err error

-	meta := &data.FileMeta{}

-	err = json.Unmarshal(c.Content(), meta)

-	if err != nil {

-		return nil

-	}

-	if c.Action() == changelist.ActionCreate {

+	switch c.Action() {

+	case changelist.ActionCreate:

+		logrus.Debug("changelist add: ", c.Path())

+		meta := &data.FileMeta{}

+		err = json.Unmarshal(c.Content(), meta)

+		if err != nil {

+			return err

+		}

 		files := data.Files{c.Path(): *meta}

-		_, err = repo.AddTargets("targets", files)

-	} else if c.Action() == changelist.ActionDelete {

-		err = repo.RemoveTargets("targets", c.Path())

+		_, err = repo.AddTargets(c.Scope(), files)

+	case changelist.ActionDelete:

+		logrus.Debug("changelist remove: ", c.Path())

+		err = repo.RemoveTargets(c.Scope(), c.Path())

+	default:

+		logrus.Debug("action not yet supported: ", c.Action())

 	}

 	if err != nil {

 		return err

@@ -42,6 +42,39 @@ func (km *KeyStoreManager) ExportRootKey(dest io.Writer, keyID string) error {

 	return err

 }

+// ExportRootKeyReencrypt exports the specified root key to an io.Writer in

+// PEM format. The key is reencrypted with a new passphrase.

+func (km *KeyStoreManager) ExportRootKeyReencrypt(dest io.Writer, keyID string, newPassphraseRetriever passphrase.Retriever) error {

+	privateKey, alias, err := km.rootKeyStore.GetKey(keyID)

+	if err != nil {

+		return err

+	}

+

+	// Create temporary keystore to use as a staging area

+	tempBaseDir, err := ioutil.TempDir("", "notary-key-export-")

+	defer os.RemoveAll(tempBaseDir)

+

+	privRootKeysSubdir := filepath.Join(privDir, rootKeysSubdir)

+	tempRootKeysPath := filepath.Join(tempBaseDir, privRootKeysSubdir)

+	tempRootKeyStore, err := trustmanager.NewKeyFileStore(tempRootKeysPath, newPassphraseRetriever)

+	if err != nil {

+		return err

+	}

+

+	err = tempRootKeyStore.AddKey(keyID, alias, privateKey)

+	if err != nil {

+		return err

+	}

+

+	pemBytes, err := tempRootKeyStore.Get(keyID + "_" + alias)

+	if err != nil {

+		return err

+	}

+

+	_, err = dest.Write(pemBytes)

+	return err

+}

+

 // checkRootKeyIsEncrypted makes sure the root key is encrypted. We have

 // internal assumptions that depend on this.

 func checkRootKeyIsEncrypted(pemBytes []byte) error {

@@ -80,13 +113,13 @@ func (km *KeyStoreManager) ImportRootKey(source io.Reader, keyID string) error {

 func moveKeys(oldKeyStore, newKeyStore *trustmanager.KeyFileStore) error {

 	// List all files but no symlinks

-	for _, f := range oldKeyStore.ListKeys() {

-		pemBytes, alias, err := oldKeyStore.GetKey(f)

+	for f := range oldKeyStore.ListKeys() {

+		privateKey, alias, err := oldKeyStore.GetKey(f)

 		if err != nil {

 			return err

 		}

-		err = newKeyStore.AddKey(f, alias, pemBytes)

+		err = newKeyStore.AddKey(f, alias, privateKey)

 		if err != nil {

 			return err

@@ -247,7 +280,7 @@ func (km *KeyStoreManager) ImportKeysZip(zipReader zip.Reader) error {

 func moveKeysByGUN(oldKeyStore, newKeyStore *trustmanager.KeyFileStore, gun string) error {

 	// List all files but no symlinks

-	for _, relKeyPath := range oldKeyStore.ListKeys() {

+	for relKeyPath := range oldKeyStore.ListKeys() {

 		// Skip keys that aren't associated with this GUN

 		if !strings.HasPrefix(relKeyPath, filepath.FromSlash(gun)) {

@@ -22,28 +22,45 @@ import (

 type Retriever func(keyName, alias string, createNew bool, attempts int) (passphrase string, giveup bool, err error)

 const (

-	idBytesToDisplay            = 5

+	idBytesToDisplay            = 7

 	tufRootAlias                = "root"

 	tufTargetsAlias             = "targets"

 	tufSnapshotAlias            = "snapshot"

-	tufRootKeyGenerationWarning = `You are about to create a new root signing key passphrase. This passphrase will be used to protect

-the most sensitive key in your signing system. Please choose a long, complex passphrase and be careful

-to keep the password and the key file itself secure and backed up. It is highly recommended that you use

-a password manager to generate the passphrase and keep it safe. There will be no way to recover this key.

-You can find the key in your config directory.`

+	tufRootKeyGenerationWarning = `You are about to create a new root signing key passphrase. This passphrase

+will be used to protect the most sensitive key in your signing system. Please

+choose a long, complex passphrase and be careful to keep the password and the

+key file itself secure and backed up. It is highly recommended that you use a

+password manager to generate the passphrase and keep it safe. There will be no

+way to recover this key. You can find the key in your config directory.`

+)

+

+var (

+	// ErrTooShort is returned if the passphrase entered for a new key is

+	// below the minimum length

+	ErrTooShort = errors.New("Passphrase too short")

+

+	// ErrDontMatch is returned if the two entered passphrases don't match.

+	// new key is below the minimum length

+	ErrDontMatch = errors.New("The entered passphrases do not match")

+

+	// ErrTooManyAttempts is returned if the maximum number of passphrase

+	// entry attempts is reached.

+	ErrTooManyAttempts = errors.New("Too many attempts")

 )

 // PromptRetriever returns a new Retriever which will provide a prompt on stdin

 // and stdout to retrieve a passphrase. The passphrase will be cached such that

 // subsequent prompts will produce the same passphrase.

 func PromptRetriever() Retriever {

-	return PromptRetrieverWithInOut(os.Stdin, os.Stdout)

+	return PromptRetrieverWithInOut(os.Stdin, os.Stdout, nil)

 }

 // PromptRetrieverWithInOut returns a new Retriever which will provide a

 // prompt using the given in and out readers. The passphrase will be cached

 // such that subsequent prompts will produce the same passphrase.

-func PromptRetrieverWithInOut(in io.Reader, out io.Writer) Retriever {

+// aliasMap can be used to specify display names for TUF key aliases. If aliasMap

+// is nil, a sensible default will be used.

+func PromptRetrieverWithInOut(in io.Reader, out io.Writer, aliasMap map[string]string) Retriever {

 	userEnteredTargetsSnapshotsPass := false

 	targetsSnapshotsPass := ""

 	userEnteredRootsPass := false

@@ -54,14 +71,20 @@ func PromptRetrieverWithInOut(in io.Reader, out io.Writer) Retriever {

 			fmt.Fprintln(out, tufRootKeyGenerationWarning)

 		}

 		if numAttempts > 0 {

-			if createNew {

-				fmt.Fprintln(out, "Passphrases do not match. Please retry.")

-

-			} else {

+			if !createNew {

 				fmt.Fprintln(out, "Passphrase incorrect. Please retry.")

 			}

 		}

+		// Figure out if we should display a different string for this alias

+		displayAlias := alias

+		if aliasMap != nil {

+			if val, ok := aliasMap[alias]; ok {

+				displayAlias = val

+			}

+

+		}

+

 		// First, check if we have a password cached for this alias.

 		if numAttempts == 0 {

 			if userEnteredTargetsSnapshotsPass && (alias == tufSnapshotAlias || alias == tufTargetsAlias) {

@@ -73,7 +96,7 @@ func PromptRetrieverWithInOut(in io.Reader, out io.Writer) Retriever {

 		}

 		if numAttempts > 3 && !createNew {

-			return "", true, errors.New("Too many attempts")

+			return "", true, ErrTooManyAttempts

 		}

 		state, err := term.SaveState(0)

@@ -86,15 +109,24 @@ func PromptRetrieverWithInOut(in io.Reader, out io.Writer) Retriever {

 		stdin := bufio.NewReader(in)

 		indexOfLastSeparator := strings.LastIndex(keyName, string(filepath.Separator))

+		if indexOfLastSeparator == -1 {

+			indexOfLastSeparator = 0

+		}

-		if len(keyName) > indexOfLastSeparator+idBytesToDisplay+1 {

-			keyName = keyName[:indexOfLastSeparator+idBytesToDisplay+1]

+		if len(keyName) > indexOfLastSeparator+idBytesToDisplay {

+			if indexOfLastSeparator > 0 {

+				keyNamePrefix := keyName[:indexOfLastSeparator]

+				keyNameID := keyName[indexOfLastSeparator+1 : indexOfLastSeparator+idBytesToDisplay+1]

+				keyName = keyNamePrefix + " (" + keyNameID + ")"

+			} else {

+				keyName = keyName[indexOfLastSeparator : indexOfLastSeparator+idBytesToDisplay]

+			}

 		}

 		if createNew {

-			fmt.Fprintf(out, "Enter passphrase for new %s key with id %s: ", alias, keyName)

+			fmt.Fprintf(out, "Enter passphrase for new %s key with id %s: ", displayAlias, keyName)

 		} else {

-			fmt.Fprintf(out, "Enter key passphrase for %s key with id %s: ", alias, keyName)

+			fmt.Fprintf(out, "Enter key passphrase for %s key with id %s: ", displayAlias, keyName)

 		}

 		passphrase, err := stdin.ReadBytes('\n')

@@ -119,10 +151,10 @@ func PromptRetrieverWithInOut(in io.Reader, out io.Writer) Retriever {

 		if len(retPass) < 8 {

 			fmt.Fprintln(out, "Please use a password manager to generate and store a good random passphrase.")

-			return "", false, errors.New("Passphrase too short")

+			return "", false, ErrTooShort

 		}

-		fmt.Fprintf(out, "Repeat passphrase for new %s key with id %s: ", alias, keyName)

+		fmt.Fprintf(out, "Repeat passphrase for new %s key with id %s: ", displayAlias, keyName)

 		confirmation, err := stdin.ReadBytes('\n')

 		fmt.Fprintln(out)

 		if err != nil {

@@ -131,7 +163,8 @@ func PromptRetrieverWithInOut(in io.Reader, out io.Writer) Retriever {

 		confirmationStr := strings.TrimSpace(string(confirmation))

 		if retPass != confirmationStr {

-			return "", false, errors.New("The entered passphrases do not match")

+			fmt.Fprintln(out, "Passphrases do not match. Please retry.")

+			return "", false, ErrDontMatch

 		}

 		if alias == tufSnapshotAlias || alias == tufTargetsAlias {

@@ -5,65 +5,10 @@ import (

 	"strings"

 	"sync"

-	"fmt"

-

 	"github.com/docker/notary/pkg/passphrase"

 	"github.com/endophage/gotuf/data"

 )

-const (

-	keyExtension = "key"

-)

-

-// ErrAttemptsExceeded is returned when too many attempts have been made to decrypt a key

-type ErrAttemptsExceeded struct{}

-

-// ErrAttemptsExceeded is returned when too many attempts have been made to decrypt a key

-func (err ErrAttemptsExceeded) Error() string {

-	return "maximum number of passphrase attempts exceeded"

-}

-

-// ErrPasswordInvalid is returned when signing fails. It could also mean the signing

-// key file was corrupted, but we have no way to distinguish.

-type ErrPasswordInvalid struct{}

-

-// ErrPasswordInvalid is returned when signing fails. It could also mean the signing

-// key file was corrupted, but we have no way to distinguish.

-func (err ErrPasswordInvalid) Error() string {

-	return "password invalid, operation has failed."

-}

-

-// ErrKeyNotFound is returned when the keystore fails to retrieve a specific key.

-type ErrKeyNotFound struct {

-	KeyID string

-}

-

-// ErrKeyNotFound is returned when the keystore fails to retrieve a specific key.

-func (err ErrKeyNotFound) Error() string {

-	return fmt.Sprintf("signing key not found: %s", err.KeyID)

-}

-

-// KeyStore is a generic interface for private key storage

-type KeyStore interface {

-	LimitedFileStore

-

-	AddKey(name, alias string, privKey data.PrivateKey) error

-	GetKey(name string) (data.PrivateKey, string, error)

-	ListKeys() []string

-	RemoveKey(name string) error

-}

-

-type cachedKey struct {

-	alias string

-	key   data.PrivateKey

-}

-

-// PassphraseRetriever is a callback function that should retrieve a passphrase

-// for a given named key. If it should be treated as new passphrase (e.g. with

-// confirmation), createNew will be true. Attempts is passed in so that implementers

-// decide how many chances to give to a human, for example.

-type PassphraseRetriever func(keyId, alias string, createNew bool, attempts int) (passphrase string, giveup bool, err error)

-

 // KeyFileStore persists and manages private keys on disk

 type KeyFileStore struct {

 	sync.Mutex

@@ -111,7 +56,7 @@ func (s *KeyFileStore) GetKey(name string) (data.PrivateKey, string, error) {

 // ListKeys returns a list of unique PublicKeys present on the KeyFileStore.

 // There might be symlinks associating Certificate IDs to Public Keys, so this

 // method only returns the IDs that aren't symlinks

-func (s *KeyFileStore) ListKeys() []string {

+func (s *KeyFileStore) ListKeys() map[string]string {

 	return listKeys(s)

 }

@@ -149,7 +94,7 @@ func (s *KeyMemoryStore) GetKey(name string) (data.PrivateKey, string, error) {

 // ListKeys returns a list of unique PublicKeys present on the KeyFileStore.

 // There might be symlinks associating Certificate IDs to Public Keys, so this

 // method only returns the IDs that aren't symlinks

-func (s *KeyMemoryStore) ListKeys() []string {

+func (s *KeyMemoryStore) ListKeys() map[string]string {

 	return listKeys(s)

 }

@@ -167,10 +112,10 @@ func addKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cached

 	}

 	attempts := 0

-	passphrase := ""

+	chosenPassphrase := ""

 	giveup := false

 	for {

-		passphrase, giveup, err = passphraseRetriever(name, alias, true, attempts)

+		chosenPassphrase, giveup, err = passphraseRetriever(name, alias, true, attempts)

 		if err != nil {

 			attempts++

 			continue

@@ -184,8 +129,8 @@ func addKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cached

 		break

 	}

-	if passphrase != "" {

-		pemPrivKey, err = EncryptPrivateKey(privKey, passphrase)

+	if chosenPassphrase != "" {

+		pemPrivKey, err = EncryptPrivateKey(privKey, chosenPassphrase)

 		if err != nil {

 			return err

 		}

@@ -261,18 +206,20 @@ func getKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cached

 	return privKey, keyAlias, nil

 }

-// ListKeys returns a list of unique PublicKeys present on the KeyFileStore.

+// ListKeys returns a map of unique PublicKeys present on the KeyFileStore and

+// their corresponding aliases.

 // There might be symlinks associating Certificate IDs to Public Keys, so this

 // method only returns the IDs that aren't symlinks

-func listKeys(s LimitedFileStore) []string {

-	var keyIDList []string

+func listKeys(s LimitedFileStore) map[string]string {

+	keyIDMap := make(map[string]string)

 	for _, f := range s.ListFiles(false) {

-		keyID := strings.TrimSpace(strings.TrimSuffix(f, filepath.Ext(f)))

-		keyID = keyID[:strings.LastIndex(keyID, "_")]

-		keyIDList = append(keyIDList, keyID)

+		keyIDFull := strings.TrimSpace(strings.TrimSuffix(f, filepath.Ext(f)))

+		keyID := keyIDFull[:strings.LastIndex(keyIDFull, "_")]

+		keyAlias := keyIDFull[strings.LastIndex(keyIDFull, "_")+1:]

+		keyIDMap[keyID] = keyAlias

 	}

-	return keyIDList

+	return keyIDMap

 }

 // RemoveKey removes the key from the keyfilestore

new file mode 100644

@@ -0,0 +1,52 @@

+package trustmanager

+

+import (

+	"fmt"

+

+	"github.com/endophage/gotuf/data"

+)

+

+// ErrAttemptsExceeded is returned when too many attempts have been made to decrypt a key

+type ErrAttemptsExceeded struct{}

+

+// ErrAttemptsExceeded is returned when too many attempts have been made to decrypt a key

+func (err ErrAttemptsExceeded) Error() string {

+	return "maximum number of passphrase attempts exceeded"

+}

+

+// ErrPasswordInvalid is returned when signing fails. It could also mean the signing

+// key file was corrupted, but we have no way to distinguish.

+type ErrPasswordInvalid struct{}

+

+// ErrPasswordInvalid is returned when signing fails. It could also mean the signing

+// key file was corrupted, but we have no way to distinguish.

+func (err ErrPasswordInvalid) Error() string {

+	return "password invalid, operation has failed."

+}

+

+// ErrKeyNotFound is returned when the keystore fails to retrieve a specific key.

+type ErrKeyNotFound struct {

+	KeyID string

+}

+

+// ErrKeyNotFound is returned when the keystore fails to retrieve a specific key.

+func (err ErrKeyNotFound) Error() string {

+	return fmt.Sprintf("signing key not found: %s", err.KeyID)

+}

+

+const (

+	keyExtension = "key"

+)

+

+// KeyStore is a generic interface for private key storage

+type KeyStore interface {

+	AddKey(name, alias string, privKey data.PrivateKey) error

+	GetKey(name string) (data.PrivateKey, string, error)

+	ListKeys() map[string]string

+	RemoveKey(name string) error

+}

+

+type cachedKey struct {

+	alias string

+	key   data.PrivateKey

+}

@@ -351,7 +351,7 @@ func GenerateECDSAKey(random io.Reader) (data.PrivateKey, error) {

 // PrivateKey. The serialization format we use is just the public key bytes

 // followed by the private key bytes

 func GenerateED25519Key(random io.Reader) (data.PrivateKey, error) {

-	pub, priv, err := ed25519.GenerateKey(rand.Reader)

+	pub, priv, err := ed25519.GenerateKey(random)

 	if err != nil {

 		return nil, err

 	}

@@ -50,15 +50,9 @@ func (c *Client) Update() error {

 	logrus.Debug("updating TUF client")

 	err := c.update()

 	if err != nil {

-		switch err.(type) {

-		case signed.ErrRoleThreshold, signed.ErrExpired, tuf.ErrLocalRootExpired:

-			logrus.Debug("retryable error occurred. Root will be downloaded and another update attempted")

-			if err := c.downloadRoot(); err != nil {

-				logrus.Errorf("client Update (Root):", err)

-				return err

-			}

-		default:

-			logrus.Error("an unexpected error occurred while updating TUF client")

+		logrus.Debug("Error occurred. Root will be downloaded and another update attempted")

+		if err := c.downloadRoot(); err != nil {

+			logrus.Errorf("client Update (Root):", err)

 			return err

 		}

 		// If we error again, we now have the latest root and just want to fail

@@ -114,6 +108,20 @@ func (c Client) checkRoot() error {

 	if !bytes.Equal(hash[:], hashSha256) {

 		return fmt.Errorf("Cached root sha256 did not match snapshot root sha256")

 	}

+

+	if int64(len(raw)) != size {

+		return fmt.Errorf("Cached root size did not match snapshot size")

+	}

+

+	root := &data.SignedRoot{}

+	err = json.Unmarshal(raw, root)

+	if err != nil {

+		return ErrCorruptedCache{file: "root.json"}