distribution/manifest/schema1/sign.go

package schema1

import (
	"crypto/x509"
	"encoding/json"

	"github.com/docker/libtrust"
)

// Sign signs the manifest with the provided private key, returning a
// SignedManifest. This typically won't be used within the registry, except
// for testing.
func Sign(m *Manifest, pk libtrust.PrivateKey) (*SignedManifest, error) {
	p, err := json.MarshalIndent(m, "", "   ")
	if err != nil {
		return nil, err
	}

	js, err := libtrust.NewJSONSignature(p)
	if err != nil {
		return nil, err
	}

	if err := js.Sign(pk); err != nil {
		return nil, err
	}

	pretty, err := js.PrettySignature("signatures")
	if err != nil {
		return nil, err
	}

	return &SignedManifest{
		Manifest: *m,
		Raw:      pretty,
	}, nil
}

// SignWithChain signs the manifest with the given private key and x509 chain.
// The public key of the first element in the chain must be the public key
// corresponding with the sign key.
func SignWithChain(m *Manifest, key libtrust.PrivateKey, chain []*x509.Certificate) (*SignedManifest, error) {
	p, err := json.MarshalIndent(m, "", "   ")
	if err != nil {
		return nil, err
	}

	js, err := libtrust.NewJSONSignature(p)
	if err != nil {
		return nil, err
	}

	if err := js.SignWithChain(key, chain); err != nil {
		return nil, err
	}

	pretty, err := js.PrettySignature("signatures")
	if err != nil {
		return nil, err
	}

	return &SignedManifest{
		Manifest: *m,
		Raw:      pretty,
	}, nil
}
Move manifest package to schema1 As we begin our march towards multi-arch, we must prepare for the reality of multiple manifest schemas. This is the beginning of a set of changes to facilitate this. We are both moving this package into its target position where it may live peacefully next to other manfiest versions. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-08-21 04:24:30 +00:00			`package schema1`
Decouple manifest signing and verification It was probably ill-advised to couple manifest signing and verification to their respective types. This changeset simply changes them from methods to functions. These might not even be in this package in the future. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-01-02 23:46:47 +00:00
			`import (`
			`"crypto/x509"`
			`"encoding/json"`

			`"github.com/docker/libtrust"`
			`)`

			`// Sign signs the manifest with the provided private key, returning a`
			`// SignedManifest. This typically won't be used within the registry, except`
			`// for testing.`
			`func Sign(m Manifest, pk libtrust.PrivateKey) (SignedManifest, error) {`
			`p, err := json.MarshalIndent(m, "", " ")`
			`if err != nil {`
			`return nil, err`
			`}`

			`js, err := libtrust.NewJSONSignature(p)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if err := js.Sign(pk); err != nil {`
			`return nil, err`
			`}`

			`pretty, err := js.PrettySignature("signatures")`
			`if err != nil {`
			`return nil, err`
			`}`

			`return &SignedManifest{`
			`Manifest: *m,`
			`Raw: pretty,`
			`}, nil`
			`}`

			`// SignWithChain signs the manifest with the given private key and x509 chain.`
			`// The public key of the first element in the chain must be the public key`
			`// corresponding with the sign key.`
			`func SignWithChain(m Manifest, key libtrust.PrivateKey, chain []x509.Certificate) (*SignedManifest, error) {`
			`p, err := json.MarshalIndent(m, "", " ")`
			`if err != nil {`
			`return nil, err`
			`}`

			`js, err := libtrust.NewJSONSignature(p)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if err := js.SignWithChain(key, chain); err != nil {`
			`return nil, err`
			`}`

			`pretty, err := js.PrettySignature("signatures")`
			`if err != nil {`
			`return nil, err`
			`}`

			`return &SignedManifest{`
			`Manifest: *m,`
			`Raw: pretty,`
			`}, nil`
			`}`