distribution/manifest/sign.go

package manifest

import (
	"crypto/x509"
	"encoding/json"

	"github.com/docker/libtrust"
)

// Sign signs the manifest with the provided private key, returning a
// SignedManifest. This typically won't be used within the registry, except
// for testing.
func Sign(m *Manifest, pk libtrust.PrivateKey) (*SignedManifest, error) {
	p, err := json.MarshalIndent(m, "", "   ")
	if err != nil {
		return nil, err
	}

	js, err := libtrust.NewJSONSignature(p)
	if err != nil {
		return nil, err
	}

	if err := js.Sign(pk); err != nil {
		return nil, err
	}

	pretty, err := js.PrettySignature("signatures")
	if err != nil {
		return nil, err
	}

	return &SignedManifest{
		Manifest: *m,
		Raw:      pretty,
	}, nil
}

// SignWithChain signs the manifest with the given private key and x509 chain.
// The public key of the first element in the chain must be the public key
// corresponding with the sign key.
func SignWithChain(m *Manifest, key libtrust.PrivateKey, chain []*x509.Certificate) (*SignedManifest, error) {
	p, err := json.MarshalIndent(m, "", "   ")
	if err != nil {
		return nil, err
	}

	js, err := libtrust.NewJSONSignature(p)
	if err != nil {
		return nil, err
	}

	if err := js.SignWithChain(key, chain); err != nil {
		return nil, err
	}

	pretty, err := js.PrettySignature("signatures")
	if err != nil {
		return nil, err
	}

	return &SignedManifest{
		Manifest: *m,
		Raw:      pretty,
	}, nil
}
Decouple manifest signing and verification It was probably ill-advised to couple manifest signing and verification to their respective types. This changeset simply changes them from methods to functions. These might not even be in this package in the future. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-01-02 23:46:47 +00:00			`package manifest`

			`import (`
			`"crypto/x509"`
			`"encoding/json"`

			`"github.com/docker/libtrust"`
			`)`

			`// Sign signs the manifest with the provided private key, returning a`
			`// SignedManifest. This typically won't be used within the registry, except`
			`// for testing.`
			`func Sign(m Manifest, pk libtrust.PrivateKey) (SignedManifest, error) {`
			`p, err := json.MarshalIndent(m, "", " ")`
			`if err != nil {`
			`return nil, err`
			`}`

			`js, err := libtrust.NewJSONSignature(p)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if err := js.Sign(pk); err != nil {`
			`return nil, err`
			`}`

			`pretty, err := js.PrettySignature("signatures")`
			`if err != nil {`
			`return nil, err`
			`}`

			`return &SignedManifest{`
			`Manifest: *m,`
			`Raw: pretty,`
			`}, nil`
			`}`

			`// SignWithChain signs the manifest with the given private key and x509 chain.`
			`// The public key of the first element in the chain must be the public key`
			`// corresponding with the sign key.`
			`func SignWithChain(m Manifest, key libtrust.PrivateKey, chain []x509.Certificate) (*SignedManifest, error) {`
			`p, err := json.MarshalIndent(m, "", " ")`
			`if err != nil {`
			`return nil, err`
			`}`

			`js, err := libtrust.NewJSONSignature(p)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if err := js.SignWithChain(key, chain); err != nil {`
			`return nil, err`
			`}`

			`pretty, err := js.PrettySignature("signatures")`
			`if err != nil {`
			`return nil, err`
			`}`

			`return &SignedManifest{`
			`Manifest: *m,`
			`Raw: pretty,`
			`}, nil`
			`}`