From d3919d0a792d66e4bbdb7e89b442e36ca2462008 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Thu, 1 Mar 2018 11:15:50 +0000 Subject: [PATCH] Update notary vendor to 0.6.0 Signed-off-by: Justin Cormack --- vendor.conf | 2 +- .../theupdateframework/notary/README.md | 40 ++++----- .../notary/client/client.go | 86 +------------------ .../notary/trustmanager/keys.go | 10 ++- .../trustmanager/yubikey/pkcs11_linux.go | 2 + .../theupdateframework/notary/tuf/tuf.go | 11 +-- .../theupdateframework/notary/vendor.conf | 12 +-- 7 files changed, 42 insertions(+), 121 deletions(-) diff --git a/vendor.conf b/vendor.conf index 4796d797b..be28bf5b7 100644 --- a/vendor.conf +++ b/vendor.conf @@ -13,7 +13,7 @@ github.com/opencontainers/runtime-spec v1.0.0 github.com/pkg/errors v0.8.0 github.com/sirupsen/logrus v1.0.3 github.com/surma/gocpio fcb68777e7dc4ea43ffce871b552c0d073c17495 -github.com/theupdateframework/notary c3574cbdf09c9b52ffd364451d1c793b129edb0a +github.com/theupdateframework/notary v0.6.0 github.com/xeipuuv/gojsonpointer 6fe8760cad3569743d51ddbb243b26f8456742dc github.com/xeipuuv/gojsonreference e02fc20de94c78484cd5ffb007f8af96be030a45 github.com/xeipuuv/gojsonschema 702b404897d4364af44dc8dcabc9815947942325 diff --git a/vendor/github.com/theupdateframework/notary/README.md b/vendor/github.com/theupdateframework/notary/README.md index 652305086..6b955d259 100644 --- a/vendor/github.com/theupdateframework/notary/README.md +++ b/vendor/github.com/theupdateframework/notary/README.md @@ -1,5 +1,6 @@ Notary +[![GoDoc](https://godoc.org/github.com/theupdateframework/notary?status.svg)](https://godoc.org/github.com/theupdateframework/notary) [![Circle CI](https://circleci.com/gh/theupdateframework/notary/tree/master.svg?style=shield)](https://circleci.com/gh/theupdateframework/notary/tree/master) [![CodeCov](https://codecov.io/github/theupdateframework/notary/coverage.svg?branch=master)](https://codecov.io/github/theupdateframework/notary) [![GoReportCard](https://goreportcard.com/badge/theupdateframework/notary)](https://goreportcard.com/report/github.com/theupdateframework/notary) [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary?ref=badge_shield) @@ -15,7 +16,7 @@ location via GitHub's redirect. # Overview The Notary project comprises a [server](cmd/notary-server) and a [client](cmd/notary) for running and interacting -with trusted collections. Please see the [service architecture](docs/service_architecture.md) documentation +with trusted collections. See the [service architecture](docs/service_architecture.md) documentation for more information. Notary aims to make the internet more secure by making it easy for people to @@ -45,26 +46,26 @@ Notary is based on [The Update Framework](https://www.theupdateframework.com/), ## Security -Please see our [service architecture docs](docs/service_architecture.md#threat-model) for more information about our threat model, which details the varying survivability and severities for key compromise as well as mitigations. +See Notary's [service architecture docs](docs/service_architecture.md#threat-model) for more information about our threat model, which details the varying survivability and severities for key compromise as well as mitigations. -Our last security audit was on July 31, 2015 by NCC ([results](docs/resources/ncc_docker_notary_audit_2015_07_31.pdf)). +Notary's last security audit was on July 31, 2015 by NCC ([results](docs/resources/ncc_docker_notary_audit_2015_07_31.pdf)). Any security vulnerabilities can be reported to security@docker.com. # Getting started with the Notary CLI -Please get the Notary Client CLI binary from [the official releases page](https://github.com/theupdateframework/notary/releases) or you can [build one yourself](#building-notary). +Get the Notary Client CLI binary from [the official releases page](https://github.com/theupdateframework/notary/releases) or you can [build one yourself](#building-notary). The version of Notary server and signer should be greater than or equal to Notary CLI's version to ensure feature compatibility (ex: CLI version 0.2, server/signer version >= 0.2), and all official releases are associated with GitHub tags. -To use the Notary CLI with Docker hub images, please have a look at our +To use the Notary CLI with Docker hub images, have a look at Notary's [getting started docs](docs/getting_started.md). -For more advanced usage, please see the +For more advanced usage, see the [advanced usage docs](docs/advanced_usage.md). To use the CLI against a local Notary server rather than against Docker Hub: -1. Please ensure that you have [docker and docker-compose](http://docs.docker.com/compose/install/) installed. +1. Ensure that you have [docker and docker-compose](http://docs.docker.com/compose/install/) installed. 1. `git clone https://github.com/theupdateframework/notary.git` and from the cloned repository path, start up a local Notary server and signer and copy the config file and testing certs to your local notary config directory: @@ -90,32 +91,31 @@ to use `notary` with Docker images. ## Building Notary -Note that our [latest stable release](https://github.com/theupdateframework/notary/releases) is at the head of the +Note that Notary's [latest stable release](https://github.com/theupdateframework/notary/releases) is at the head of the [releases branch](https://github.com/theupdateframework/notary/tree/releases). The master branch is the development branch and contains features for the next release. Prerequisites: - Go >= 1.7.1 -- [godep](https://github.com/tools/godep) installed + - Fedora: `dnf install golang` - libtool development headers installed - Ubuntu: `apt-get install libltdl-dev` - CentOS/RedHat: `yum install libtool-ltdl-devel` + - Fedora: `dnf install libtool-ltdl-devel` - Mac OS ([Homebrew](http://brew.sh/)): `brew install libtool` -Run `make client`, which creates the Notary Client CLI binary at `bin/notary`. -Note that `make client` assumes a standard Go directory structure, in which -Notary is checked out to the `src` directory in your `GOPATH`. For example: -``` -$GOPATH/ - src/ - github.com/ - docker/ - notary/ +Set [```GOPATH```](https://golang.org/doc/code.html#GOPATH). Then, run: + +```bash +$ go get github.com/theupdateframework/notary +# build with pcks11 support by default to support yubikey +$ go install -tags pkcs11 github.com/theupdateframework/notary/cmd/notary +$ notary ``` -To build the server and signer, please run `docker-compose build`. +To build the server and signer, run `docker-compose build`. ## License -[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary?ref=badge_large) \ No newline at end of file +[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary?ref=badge_large) diff --git a/vendor/github.com/theupdateframework/notary/client/client.go b/vendor/github.com/theupdateframework/notary/client/client.go index 217e96235..efdc6ce4a 100644 --- a/vendor/github.com/theupdateframework/notary/client/client.go +++ b/vendor/github.com/theupdateframework/notary/client/client.go @@ -1,88 +1,4 @@ -/* -Package client implements everything required for interacting with a Notary repository. - -Usage - -Use this package by creating a new repository object and calling methods on it. - - package main - - import ( - "encoding/hex" - "fmt" - "net/http" - "os" - "time" - - "github.com/docker/distribution/registry/client/auth" - "github.com/docker/distribution/registry/client/auth/challenge" - "github.com/docker/distribution/registry/client/transport" - notary "github.com/theupdateframework/notary/client" - "github.com/theupdateframework/notary/trustpinning" - "github.com/theupdateframework/notary/tuf/data" - ) - - func main() { - rootDir := ".trust" - if err := os.MkdirAll(rootDir, 0700); err != nil { - panic(err) - } - - server := "https://notary.docker.io" - image := "docker.io/library/alpine" - repo, err := notary.NewFileCachedNotaryRepository( - rootDir, - data.GUN(image), - server, - makeHubTransport(server, image), - nil, - trustpinning.TrustPinConfig{}, - ) - - targets, err := repo.ListTargets() - if err != nil { - panic(err) - } - - for _, tgt := range targets { - fmt.Printf("%s\t%s\n", tgt.Name, hex.EncodeToString(tgt.Hashes["sha256"])) - } - } - - func makeHubTransport(server, image string) http.RoundTripper { - base := http.DefaultTransport - modifiers := []transport.RequestModifier{ - transport.NewHeaderRequestModifier(http.Header{ - "User-Agent": []string{"my-client"}, - }), - } - - authTransport := transport.NewTransport(base, modifiers...) - pingClient := &http.Client{ - Transport: authTransport, - Timeout: 5 * time.Second, - } - req, err := http.NewRequest("GET", server+"/v2/", nil) - if err != nil { - panic(err) - } - - challengeManager := challenge.NewSimpleManager() - resp, err := pingClient.Do(req) - if err != nil { - panic(err) - } - defer resp.Body.Close() - if err := challengeManager.AddResponse(resp); err != nil { - panic(err) - } - tokenHandler := auth.NewTokenHandler(base, nil, image, "pull") - modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, auth.NewBasicHandler(nil))) - - return transport.NewTransport(base, modifiers...) - } - -*/ +//Package client implements everything required for interacting with a Notary repository. package client import ( diff --git a/vendor/github.com/theupdateframework/notary/trustmanager/keys.go b/vendor/github.com/theupdateframework/notary/trustmanager/keys.go index 8ad77a2fe..89e82a75a 100644 --- a/vendor/github.com/theupdateframework/notary/trustmanager/keys.go +++ b/vendor/github.com/theupdateframework/notary/trustmanager/keys.go @@ -3,6 +3,7 @@ package trustmanager import ( "encoding/pem" "errors" + "fmt" "io" "io/ioutil" "path/filepath" @@ -100,8 +101,9 @@ func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGUN return err } var ( - writeTo string - toWrite []byte + writeTo string + toWrite []byte + errBlocks []string ) for block, rest := pem.Decode(data); block != nil; block, rest = pem.Decode(rest) { handleLegacyPath(block) @@ -110,6 +112,7 @@ func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGUN loc, err := checkValidity(block) if err != nil { // already logged in checkValidity + errBlocks = append(errBlocks, err.Error()) continue } @@ -157,6 +160,9 @@ func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGUN if toWrite != nil { // close out final iteration if there's data left return importToStores(to, writeTo, toWrite) } + if len(errBlocks) > 0 { + return fmt.Errorf("failed to import all keys: %s", strings.Join(errBlocks, ", ")) + } return nil } diff --git a/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_linux.go b/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_linux.go index 9967e89e1..836018f00 100644 --- a/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_linux.go +++ b/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_linux.go @@ -4,7 +4,9 @@ package yubikey var possiblePkcs11Libs = []string{ "/usr/lib/libykcs11.so", + "/usr/lib/libykcs11.so.1", // yubico-piv-tool on Fedora installs here "/usr/lib64/libykcs11.so", + "/usr/lib64/libykcs11.so.1", // yubico-piv-tool on Fedora installs here "/usr/lib/x86_64-linux-gnu/libykcs11.so", "/usr/local/lib/libykcs11.so", } diff --git a/vendor/github.com/theupdateframework/notary/tuf/tuf.go b/vendor/github.com/theupdateframework/notary/tuf/tuf.go index 74f6ceb59..866403bba 100644 --- a/vendor/github.com/theupdateframework/notary/tuf/tuf.go +++ b/vendor/github.com/theupdateframework/notary/tuf/tuf.go @@ -248,17 +248,14 @@ func (tr *Repo) GetDelegationRole(name data.RoleName) (data.DelegationRole, erro } // Check all public key certificates in the role for expiry // Currently we do not reject expired delegation keys but warn if they might expire soon or have already - for keyID, pubKey := range delgRole.Keys { + for _, pubKey := range delgRole.Keys { certFromKey, err := utils.LoadCertFromPEM(pubKey.Public()) if err != nil { continue } - if err := utils.ValidateCertificate(certFromKey, true); err != nil { - if _, ok := err.(data.ErrCertExpired); !ok { - // do not allow other invalid cert errors - return err - } - logrus.Warnf("error with delegation %s key ID %d: %s", delgRole.Name, keyID, err) + //Don't check the delegation certificate expiry once added, use the TUF role expiry instead + if err := utils.ValidateCertificate(certFromKey, false); err != nil { + return err } } foundRole = &delgRole diff --git a/vendor/github.com/theupdateframework/notary/vendor.conf b/vendor/github.com/theupdateframework/notary/vendor.conf index 73e12db5d..33e81418d 100644 --- a/vendor/github.com/theupdateframework/notary/vendor.conf +++ b/vendor/github.com/theupdateframework/notary/vendor.conf @@ -5,8 +5,8 @@ github.com/bugsnag/bugsnag-go 13fd6b8acda029830ef9904df6b63be0a83369d0 github.com/bugsnag/panicwrap e2c28503fcd0675329da73bf48b33404db873782 github.com/bugsnag/osext 0dd3f918b21bec95ace9dc86c7e70266cfc5c702 github.com/docker/distribution edc3ab29cdff8694dd6feb85cfeb4b5f1b38ed9c -github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb -github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d +github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb +github.com/docker/go-connections 7395e3f8aa162843a74ed6d48e79627d9792ac55 github.com/docker/go d30aec9fd63c35133f8f79c3412ad91a3b08be06 github.com/dvsekhvalnov/jose2go 6387d3c1f5abd8443b223577d5a7e0f4e0e5731f # v1.2 github.com/go-sql-driver/mysql a0583e0143b1624142adab07e0e97fe106d99561 # v1.3 @@ -15,22 +15,22 @@ github.com/jinzhu/gorm 5409931a1bb87e484d68d649af9367c207713ea2 github.com/jinzhu/inflection 1c35d901db3da928c72a72d8458480cc9ade058f github.com/lib/pq 0dad96c0b94f8dee039aa40467f767467392a0af github.com/mattn/go-sqlite3 b4142c444a8941d0d92b0b7103a24df9cd815e42 # v1.0.0 -github.com/miekg/pkcs11 ba39b9c6300b7e0be41b115330145ef8afdff7d6 +github.com/miekg/pkcs11 5f6e0d0dad6f472df908c8e968a98ef00c9224bb github.com/mitchellh/go-homedir df55a15e5ce646808815381b3db47a8c66ea62f4 github.com/prometheus/client_golang 449ccefff16c8e2b7229f6be1921ba22f62461fe github.com/prometheus/client_model fa8ad6fec33561be4280a8f0514318c79d7f6cb6 # model-0.0.2-12-gfa8ad6f github.com/prometheus/procfs b1afdc266f54247f5dc725544f5d351a8661f502 github.com/prometheus/common 4fdc91a58c9d3696b982e8a680f4997403132d44 github.com/golang/protobuf c3cefd437628a0b7d31b34fe44b3a7a540e98527 -github.com/spf13/cobra f368244301305f414206f889b1735a54cfc8bde8 +github.com/spf13/cobra 7b2c5ac9fc04fc5efafb60700713d4fa609b777b # v0.0.1 github.com/spf13/viper be5ff3e4840cf692388bde7a057595a474ef379e golang.org/x/crypto 76eec36fa14229c4b25bb894c2d0e591527af429 golang.org/x/net 6a513affb38dc9788b449d59ffed099b8de18fa0 -golang.org/x/sys 739734461d1c916b6c72a63d7efda2b27edb369f +golang.org/x/sys 314a259e304ff91bd6985da2a7149bbf91237993 google.golang.org/grpc 708a7f9f3283aa2d4f6132d287d78683babe55c8 # v1.0.5 github.com/pkg/errors 839d9e913e063e28dfd0e6c7b7512793e0a48be9 -github.com/spf13/pflag cb88ea77998c3f024757528e3305022ab50b43be +github.com/spf13/pflag e57e3eeb33f795204c1ca35f56c44f83227c6e66 # v1.0.0 github.com/spf13/cast 4d07383ffe94b5e5a6fa3af9211374a4507a0184 gopkg.in/yaml.v2 bef53efd0c76e49e6de55ead051f886bea7e9420 gopkg.in/fatih/pool.v2 cba550ebf9bce999a02e963296d4bc7a486cb715