Merge pull request #59 from cnabio/trishankatdatadog/cmd-to-make-keys

Improve default key management experience

README.md

@@ -54,7 +54,7 @@ $ signy --tlscacert=$NOTARY_CA --server https://localhost:4443
 - Computing the SHA256 digest of a canonical CNAB bundle, pushing it to the trust server, then pushing the bundle using `cnab-to-oci`:
 
 ```bash
-$ ./scripts/signy-sign.sh
+$ ./scripts/signy-sign.sh testdata/cnab/bundle.json localhost:5000/cnab/thin-bundle:v1
 INFO[0000] Starting to copy image cnab/helloworld:0.1.1
 INFO[0000] Completed image cnab/helloworld:0.1.1 copy
 INFO[0000] Generated relocation map: relocation.ImageRelocationMap{"cnab/helloworld:0.1.1":"localhost:5000/cnab/thin-bundle@sha256:a59a4e74d9cc89e4e75dfb2cc7ea5c108e4236ba6231b53081a9e2506d1197b6"}
@@ -65,7 +65,7 @@ INFO[0000] Pushed trust data for localhost:5000/cnab/thin-bundle:v1: c7e92bd51f0
 - Verifying the metadata in the trusted collection for a CNAB bundle against the bundle pushed to an OCI registry
 
 ```
-$ signy --tlscacert=$NOTARY_CA --server https://localhost:4443 verify localhost:5000/thin-bundle:v1
+$ ./scripts/signy-verify.sh localhost:5000/cnab/thin-bundle:v1
 INFO[0000] Pulled trust data for localhost:5000/thin-bundle:v1, with role targets - SHA256: c7e92bd51f059d60b15ad456edf194648997d739f60799b37e08edafd88a81b5
 INFO[0000] Pulling bundle from registry: localhost:5000/thin-bundle:v1
 INFO[0000] Computed SHA: c7e92bd51f059d60b15ad456edf194648997d739f60799b37e08edafd88a81b5
@@ -194,8 +194,7 @@ On the first push to a repository, Signy generates the signing keys (using Notar
 ```
 $ export SIGNY_ROOT_PASSPHRASE=PassPhrase#123
 $ export SIGNY_TARGETS_PASSPHRASE=PassPhrase#123
-$ export SIGNY_SNAPSHOT_PASSPHRASE=PassPhrase#123
-$ export SIGNY_DELEGATION_PASSPHRASE=PassPhrase#123
+$ export SIGNY_RELEASES_PASSPHRASE=PassPhrase#123
 ```
 
 ## Contributing

cmd/main.go

@@ -3,8 +3,6 @@ package main
 import (
 	"fmt"
 	"os"
-	"path/filepath"
-	"runtime"
 
 	"github.com/cnabio/signy/pkg/tuf"
 	log "github.com/sirupsen/logrus"
@@ -40,7 +38,7 @@ func init() {
 
 	rootCmd.PersistentFlags().StringVarP(&trustServer, "server", "", tuf.DockerNotaryServer, "The trust server used")
 	rootCmd.PersistentFlags().StringVarP(&tlscacert, "tlscacert", "", "", "Trust certs signed only by this CA")
-	rootCmd.PersistentFlags().StringVarP(&trustDir, "dir", "d", defaultTrustDir(), "Directory where the trust data is persisted to")
+	rootCmd.PersistentFlags().StringVarP(&trustDir, "dir", "d", tuf.DefaultTrustDir(), "Directory where the trust data is persisted to")
 	rootCmd.PersistentFlags().StringVar(&logLevel, "log", "info", `Set the logging level ("debug"|"info"|"warn"|"error"|"fatal")`)
 	rootCmd.PersistentFlags().StringVarP(&timeout, "timeout", "t", "5s", `Timeout for the trust server`)
 }
@@ -51,12 +49,3 @@ func main() {
 		os.Exit(1)
 	}
 }
-
-func defaultTrustDir() string {
-	homeEnvPath := os.Getenv("HOME")
-	if homeEnvPath == "" && runtime.GOOS == "windows" {
-		homeEnvPath = os.Getenv("USERPROFILE")
-	}
-
-	return filepath.Join(homeEnvPath, ".signy")
-}

cmd/sign.go

@@ -35,8 +35,7 @@ To avoid introducing the passphrases every time, set the following environment v
 
 export SIGNY_ROOT_PASSPHRASE
 export SIGNY_TARGETS_PASSPHRASE
-export SIGNY_SNAPSHOT_PASSPHRASE
-export SIGNY_DELEGATION_PASSPHRASE
+export SIGNY_RELEASES_PASSPHRASE
 
 For more info on managing the signing keys, see https://docs.docker.com/notary/advanced_usage/
 

pkg/tuf/common.go

@@ -0,0 +1,67 @@
+// Most of the helper functions are adapted from github.com/theupdateframework/notary
+//
+// Figure out the proper way of making sure we are respecting the licensing from Notary
+// While we are also vendoring Notary directly (see LICENSE in vendor/github.com/theupdateframework/notary/LICENSE),
+// copying unexported functions could fall under different licensing, so we need to make sure.
+
+package tuf
+
+import (
+	"os"
+	"path/filepath"
+	"runtime"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/registry"
+)
+
+const (
+	dockerConfigDir = ".docker"
+)
+
+func DefaultTrustDir() string {
+	homeEnvPath := os.Getenv("HOME")
+	if homeEnvPath == "" && runtime.GOOS == "windows" {
+		homeEnvPath = os.Getenv("USERPROFILE")
+	}
+
+	return filepath.Join(homeEnvPath, ".signy")
+}
+
+func DefaultDockerCfgDir() string {
+	homeEnvPath := os.Getenv("HOME")
+	if homeEnvPath == "" && runtime.GOOS == "windows" {
+		homeEnvPath = os.Getenv("USERPROFILE")
+	}
+
+	return filepath.Join(homeEnvPath, dockerConfigDir)
+}
+
+// ensures the trust directory exists
+func EnsureTrustDir(trustDir string) error {
+	return os.MkdirAll(trustDir, 0700)
+}
+
+func getRepoAndTag(name string) (*registry.RepositoryInfo, string, error) {
+	r, err := reference.ParseNormalizedNamed(name)
+	if err != nil {
+		return nil, "", err
+	}
+	repo, err := registry.ParseRepositoryInfo(r)
+	if err != nil {
+		return nil, "", err
+	}
+
+	return repo, getTag(r), nil
+}
+
+func getTag(ref reference.Named) string {
+	switch x := ref.(type) {
+	case reference.Canonical, reference.Digested:
+		return ""
+	case reference.NamedTagged:
+		return x.Tag()
+	default:
+		return ""
+	}
+}