The server already supported a memory backend, but now it must be
specified, rather than just being a fallback if no storage is
specified. This also adds a signer backend to signer, which
previously required a MySQL backend.
Thanks @endophage for the excellent suggestion!
Signed-off-by: Ying Li <ying.li@docker.com>
Previously, if a relative path was provided, it was relative to the
current working directory to wherever the binaries were run. Now
it is relative to whatever config file was used.
Signed-off-by: Ying Li <ying.li@docker.com>
This changes the 'addr' parameter of notary-server's config to
'http_addr', so we can add a GRPC server to notary-server if
necessary. This also allows environment variables to override
the notary-server config file entries, as notary-signer already
does.
The bugsnag configuration has also been changed so that the
bugsnag parameters are under the "bugsnag" key.
Signed-off-by: Ying Li <ying.li@docker.com>
Also add bugsnag support to notary-signer.
This also changes the 'server.cert_file' and 'server.key_file'
parameters to 'server.tls_cert_file' and 'server.tls_key_file',
respectively, to match notary-server.
Previously, the default alias, which was under the environment
variable NOTARY_SERVER_DEFAULT_ALIAS is now also available in
the config file in storage.default_alias. The password has
not changed.
Finally, this removes some of the HSM references in notary-signer.
Signed-off-by: Ying Li <ying.li@docker.com>
Previously, because it's a CryptoService wrapper around a remote signer
service, it returned nil all the time. Now, because signing is done
via private key more than CryptoService, it has to return a PrivateKey.
The key doesn't have private bytes, but can be used for signing.
Signed-off-by: Ying Li <ying.li@docker.com>
This lists any matching keys, and requires the user to pick which one
to choose, if there is more than 1 matching key. Also requires the
user to confirm before deleting.
Signed-off-by: Ying Li <ying.li@docker.com>
add verification to yubikey signatures. Attempt to generate sig up to…
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Diogo Mónica <diogo.monica@gmail.com> (github: endophage)
Ensures that the notary command line help text start with capital
letters, and add information about hardware keys and online/offline operation.
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Currently commands that do not require online access will error if
this option is passed. Do not error anymore, just ignore.
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
This runs through the basic notary init/add/publish/etc. workflow,
and some basic key workflows.
Note that this does work with the Yubikey, in that created keys while
testing do not require touch.
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Add build tags and a check in Makefile to be sure you do not import
pkcs11 lib somewhere where it should not be. This will ensure docker
import and integration will continue to work.
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Jessica Frazelle <acidburn@docker.com> (github: endophage)
