forked from TrueCloudLab/distribution
6712e602b0
As we begin our march towards multi-arch, we must prepare for the reality of multiple manifest schemas. This is the beginning of a set of changes to facilitate this. We are both moving this package into its target position where it may live peacefully next to other manfiest versions. Signed-off-by: Stephen J Day <stephen.day@docker.com>
66 lines
1.4 KiB
Go
66 lines
1.4 KiB
Go
package schema1
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"encoding/json"
|
|
|
|
"github.com/docker/libtrust"
|
|
)
|
|
|
|
// Sign signs the manifest with the provided private key, returning a
|
|
// SignedManifest. This typically won't be used within the registry, except
|
|
// for testing.
|
|
func Sign(m *Manifest, pk libtrust.PrivateKey) (*SignedManifest, error) {
|
|
p, err := json.MarshalIndent(m, "", " ")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
js, err := libtrust.NewJSONSignature(p)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if err := js.Sign(pk); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pretty, err := js.PrettySignature("signatures")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &SignedManifest{
|
|
Manifest: *m,
|
|
Raw: pretty,
|
|
}, nil
|
|
}
|
|
|
|
// SignWithChain signs the manifest with the given private key and x509 chain.
|
|
// The public key of the first element in the chain must be the public key
|
|
// corresponding with the sign key.
|
|
func SignWithChain(m *Manifest, key libtrust.PrivateKey, chain []*x509.Certificate) (*SignedManifest, error) {
|
|
p, err := json.MarshalIndent(m, "", " ")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
js, err := libtrust.NewJSONSignature(p)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if err := js.SignWithChain(key, chain); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pretty, err := js.PrettySignature("signatures")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &SignedManifest{
|
|
Manifest: *m,
|
|
Raw: pretty,
|
|
}, nil
|
|
}
|