Browse code
Rotate snapshot key to server when initializing new notary repos
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Riyaz Faizullabhoy authored on 2016/03/03 09:51:32Showing 2 changed files
| ... | ... |
@@ -461,7 +461,8 @@ func (cli *DockerCli) trustedPush(repoInfo *registry.RepositoryInfo, tag string, |
| 461 | 461 |
rootKeyID = rootPublicKey.ID() |
| 462 | 462 |
} |
| 463 | 463 |
|
| 464 |
- if err := repo.Initialize(rootKeyID); err != nil {
|
|
| 464 |
+ // Initialize the notary repository with a remotely managed snapshot key |
|
| 465 |
+ if err := repo.Initialize(rootKeyID, data.CanonicalSnapshotRole); err != nil {
|
|
| 465 | 466 |
return notaryError(repoInfo.FullName(), err) |
| 466 | 467 |
} |
| 467 | 468 |
fmt.Fprintf(cli.out, "Finished initializing %q\n", repoInfo.FullName()) |
| ... | ... |
@@ -286,6 +286,12 @@ func (s *DockerTrustSuite) TestTrustedPush(c *check.C) {
|
| 286 | 286 |
out, _, err = runCommandWithOutput(pullCmd) |
| 287 | 287 |
c.Assert(err, check.IsNil, check.Commentf(out)) |
| 288 | 288 |
c.Assert(string(out), checker.Contains, "Status: Downloaded", check.Commentf(out)) |
| 289 |
+ |
|
| 290 |
+ // Assert that we rotated the snapshot key to the server by checking our local keystore |
|
| 291 |
+ contents, err := ioutil.ReadDir(filepath.Join(cliconfig.ConfigDir(), "trust/private/tuf_keys", privateRegistryURL, "dockerclitrusted/pushtest")) |
|
| 292 |
+ c.Assert(err, check.IsNil, check.Commentf("Unable to read local tuf key files"))
|
|
| 293 |
+ // Check that we only have 1 key (targets key) |
|
| 294 |
+ c.Assert(contents, checker.HasLen, 1) |
|
| 289 | 295 |
} |
| 290 | 296 |
|
| 291 | 297 |
func (s *DockerTrustSuite) TestTrustedPushWithEnvPasswords(c *check.C) {
|