// Sign signs all top level roles in a repo in the appropriate order
func Sign(repo *tuf.Repo) (root, targets, snapshot, timestamp *data.Signed, err error) {
root, err = repo.SignRoot(data.DefaultExpires("root"))
if _, ok := err.(data.ErrInvalidRole); err != nil && !ok {
return nil, nil, nil, nil, err
}
targets, err = repo.SignTargets("targets", data.DefaultExpires("targets"))
if _, ok := err.(data.ErrInvalidRole); err != nil && !ok {
return nil, nil, nil, nil, err
}
snapshot, err = repo.SignSnapshot(data.DefaultExpires("snapshot"))
if _, ok := err.(data.ErrInvalidRole); err != nil && !ok {
return nil, nil, nil, nil, err
}
timestamp, err = repo.SignTimestamp(data.DefaultExpires("timestamp"))
if _, ok := err.(data.ErrInvalidRole); err != nil && !ok {
return nil, nil, nil, nil, err
}
return
}
// Sign signs all top level roles in a repo in the appropriate order
func Sign(repo *tuf.Repo) (root, targets, snapshot, timestamp *data.Signed, err error) {
root, err = repo.SignRoot(data.DefaultExpires("root"))
if err != nil {
return nil, nil, nil, nil, err
}
targets, err = repo.SignTargets("targets", data.DefaultExpires("targets"))
if err != nil {
return nil, nil, nil, nil, err
}
snapshot, err = repo.SignSnapshot(data.DefaultExpires("snapshot"))
if err != nil {
return nil, nil, nil, nil, err
}
timestamp, err = repo.SignTimestamp(data.DefaultExpires("timestamp"))
if err != nil {
return nil, nil, nil, nil, err
}
return
}
// signs and serializes the metadata for a canonical role in a tuf repo to JSON
func serializeCanonicalRole(tufRepo *tuf.Repo, role string) (out []byte, err error) {
var s *data.Signed
switch {
case role == data.CanonicalRootRole:
s, err = tufRepo.SignRoot(data.DefaultExpires(role))
case role == data.CanonicalSnapshotRole:
s, err = tufRepo.SignSnapshot(data.DefaultExpires(role))
case tufRepo.Targets[role] != nil:
s, err = tufRepo.SignTargets(
role, data.DefaultExpires(data.CanonicalTargetsRole))
default:
err = fmt.Errorf("%s not supported role to sign on the client", role)
}
if err != nil {
return
}
return json.Marshal(s)
}
// SignAndSerialize calls Sign and then Serialize to get the repo metadata out
func SignAndSerialize(tufRepo *tuf.Repo) (map[string][]byte, error) {
meta := make(map[string][]byte)
for delgName := range tufRepo.Targets {
// we'll sign targets later
if delgName == data.CanonicalTargetsRole {
continue
}
signedThing, err := tufRepo.SignTargets(delgName, data.DefaultExpires("targets"))
if err != nil {
return nil, err
}
metaBytes, err := json.MarshalCanonical(signedThing)
if err != nil {
return nil, err
}
meta[delgName] = metaBytes
}
// these need to be generated after the delegations are created and signed so
// the snapshot will have the delegation metadata
rs, tgs, ss, ts, err := Sign(tufRepo)
if err != nil {
return nil, err
}
rf, tgf, sf, tf, err := Serialize(rs, tgs, ss, ts)
if err != nil {
return nil, err
}
meta[data.CanonicalRootRole] = rf
meta[data.CanonicalSnapshotRole] = sf
meta[data.CanonicalTargetsRole] = tgf
meta[data.CanonicalTimestampRole] = tf
return meta, nil
}