mirror of
https://github.com/docker/docs.git
synced 2026-04-01 08:48:56 +07:00
aa596338a6
Ordinarily we don't want to continue operating on signed data if the role's threshold of signatures cannot be me and the signature is unsuable. OTOH we want to keep signing root.json with all older keys if they are available (to allow migration), but in that case a missing key is not a fatal error. So, split the keys passed to signed.Sign into primary and optional, treating all current uses as primary and enforcing the role's threshold only on primary keys. Also update the single existing test which uses a missing/unusable key to use the optionalKeys parameter. Note that only the _presence_ of optionalKeys is optional; if an optional key exists but signing using it fails, the function will fail. This temporarily breaks the second ErrInsufficientSignatures check (optional keys count against the role threshold), but that will be fixed soon. Signed-off-by: Miloslav Trmač <mitr@redhat.com>