SourceCode
diff --git a/‎api/client/trust.go‎
Lines changed: 98 additions & 22 deletions b/‎api/client/trust.go‎
Lines changed: 98 additions & 22 deletions
diff --git a/‎docs/security/trust/content_trust.md‎
Lines changed: 10 additions & 15 deletions b/‎docs/security/trust/content_trust.md‎
Lines changed: 10 additions & 15 deletions
diff --git a/‎docs/security/trust/index.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/security/trust/index.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/security/trust/trust_automation.md‎
Lines changed: 2 additions & 1 deletion b/‎docs/security/trust/trust_automation.md‎
Lines changed: 2 additions & 1 deletion
@@ -258,6 +258,11 @@ func (cli *DockerCli) trustedReference(ref reference.NamedTagged) (reference.Can
 	if err != nil {
 		return nil, err
 	}
+	// Only list tags in the top level targets role or the releases delegation role - ignore
+	// all other delegation roles
+	if t.Role != releasesRole && t.Role != data.CanonicalTargetsRole {
+		return nil, notaryError(repoInfo.FullName(), fmt.Errorf("No trust data for %s", ref.Tag()))
+	}
 	r, err := convertTarget(t.Target)
 	if err != nil {
 		return nil, err
@@ -331,13 +336,28 @@ func (cli *DockerCli) trustedPull(repoInfo *registry.RepositoryInfo, ref registr
 				fmt.Fprintf(cli.out, "Skipping target for %q\n", repoInfo.Name())
 				continue
 			}
+			// Only list tags in the top level targets role or the releases delegation role - ignore
+			// all other delegation roles
+			if tgt.Role != releasesRole && tgt.Role != data.CanonicalTargetsRole {
+				continue
+			}
 			refs = append(refs, t)
 		}
+		if len(refs) == 0 {
+			return notaryError(repoInfo.FullName(), fmt.Errorf("No trusted tags for %s", repoInfo.FullName()))
+		}
 	} else {
 		t, err := notaryRepo.GetTargetByName(ref.String(), releasesRole, data.CanonicalTargetsRole)
 		if err != nil {
 			return notaryError(repoInfo.FullName(), err)
 		}
+		// Only get the tag if it's in the top level targets role or the releases delegation role
+		// ignore it if it's in any other delegation roles
+		if t.Role != releasesRole && t.Role != data.CanonicalTargetsRole {
+			return notaryError(repoInfo.FullName(), fmt.Errorf("No trust data for %s", ref.String()))
+		}
+
+		logrus.Debugf("retrieving target for %s role\n", t.Role)
 		r, err := convertTarget(t.Target)
 		if err != nil {
 			return err
@@ -441,39 +461,95 @@ func (cli *DockerCli) trustedPush(repoInfo *registry.RepositoryInfo, tag string,
 		return err
 	}
 
-	if err := repo.AddTarget(target, releasesRole); err != nil {
-		return err
+	// get the latest repository metadata so we can figure out which roles to sign
+	_, err = repo.Update(false)
+
+	switch err.(type) {
+	case client.ErrRepoNotInitialized, client.ErrRepositoryNotExist:
+		keys := repo.CryptoService.ListKeys(data.CanonicalRootRole)
+		var rootKeyID string
+		// always select the first root key
+		if len(keys) > 0 {
+			sort.Strings(keys)
+			rootKeyID = keys[0]
+		} else {
+			rootPublicKey, err := repo.CryptoService.Create(data.CanonicalRootRole, data.ECDSAKey)
+			if err != nil {
+				return err
+			}
+			rootKeyID = rootPublicKey.ID()
+		}
+
+		// Initialize the notary repository with a remotely managed snapshot key
+		if err := repo.Initialize(rootKeyID, data.CanonicalSnapshotRole); err != nil {
+			return notaryError(repoInfo.FullName(), err)
+		}
+		fmt.Fprintf(cli.out, "Finished initializing %q\n", repoInfo.FullName())
+		err = repo.AddTarget(target, data.CanonicalTargetsRole)
+	case nil:
+		// already initialized and we have successfully downloaded the latest metadata
+		err = cli.addTargetToAllSignableRoles(repo, target)
+	default:
+		return notaryError(repoInfo.FullName(), err)
 	}
 
-	err = repo.Publish()
 	if err == nil {
-		fmt.Fprintf(cli.out, "Successfully signed %q:%s\n", repoInfo.FullName(), tag)
-		return nil
-	} else if _, ok := err.(client.ErrRepoNotInitialized); !ok {
+		err = repo.Publish()
+	}
+
+	if err != nil {
 		fmt.Fprintf(cli.out, "Failed to sign %q:%s - %s\n", repoInfo.FullName(), tag, err.Error())
 		return notaryError(repoInfo.FullName(), err)
 	}
 
-	keys := repo.CryptoService.ListKeys(data.CanonicalRootRole)
+	fmt.Fprintf(cli.out, "Successfully signed %q:%s\n", repoInfo.FullName(), tag)
+	return nil
+}
 
-	var rootKeyID string
-	// always select the first root key
-	if len(keys) > 0 {
-		sort.Strings(keys)
-		rootKeyID = keys[0]
-	} else {
-		rootPublicKey, err := repo.CryptoService.Create(data.CanonicalRootRole, data.ECDSAKey)
-		if err != nil {
-			return err
+// Attempt to add the image target to all the top level delegation roles we can
+// (based on whether we have the signing key and whether the role's path allows
+// us to).
+// If there are no delegation roles, we add to the targets role.
+func (cli *DockerCli) addTargetToAllSignableRoles(repo *client.NotaryRepository, target *client.Target) error {
+	var signableRoles []string
+
+	// translate the full key names, which includes the GUN, into just the key IDs
+	allCanonicalKeyIDs := make(map[string]struct{})
+	for fullKeyID := range repo.CryptoService.ListAllKeys() {
+		allCanonicalKeyIDs[path.Base(fullKeyID)] = struct{}{}
+	}
+
+	allDelegationRoles, err := repo.GetDelegationRoles()
+	if err != nil {
+		return err
+	}
+
+	// if there are no delegation roles, then just try to sign it into the targets role
+	if len(allDelegationRoles) == 0 {
+		return repo.AddTarget(target, data.CanonicalTargetsRole)
+	}
+
+	// there are delegation roles, find every delegation role we have a key for, and
+	// attempt to sign into into all those roles.
+	for _, delegationRole := range allDelegationRoles {
+		// We do not support signing any delegation role that isn't a direct child of the targets role.
+		// Also don't bother checking the keys if we can't add the target
+		// to this role due to path restrictions
+		if path.Dir(delegationRole.Name) != data.CanonicalTargetsRole || !delegationRole.CheckPaths(target.Name) {
+			continue
+		}
+
+		for _, canonicalKeyID := range delegationRole.KeyIDs {
+			if _, ok := allCanonicalKeyIDs[canonicalKeyID]; ok {
+				signableRoles = append(signableRoles, delegationRole.Name)
+				break
+			}
 		}
-		rootKeyID = rootPublicKey.ID()
 	}
 
-	// Initialize the notary repository with a remotely managed snapshot key
-	if err := repo.Initialize(rootKeyID, data.CanonicalSnapshotRole); err != nil {
-		return notaryError(repoInfo.FullName(), err)
+	if len(signableRoles) == 0 {
+		return fmt.Errorf("no valid signing keys for delegation roles")
 	}
-	fmt.Fprintf(cli.out, "Finished initializing %q\n", repoInfo.FullName())
 
-	return notaryError(repoInfo.FullName(), repo.Publish())
+	return repo.AddTarget(target, signableRoles...)
 }
@@ -108,19 +108,13 @@ $ docker pull someimage@sha256:d149ab53f8718e987c3a3024bb8aa0e2caadf6c0328f1d9d8
 ```
 
 Trust for an image tag is managed through the use of signing keys. A key set is
-created when an operation using content trust is first invoked. Docker's content
-trust makes use of four different keys:
+created when an operation using content trust is first invoked. A key set consists
+of the following classes of keys:
 
-| Key                 | Description                                                                                                                                                                                                                                                                                                                                                                         |
-|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| root key         | Root of content trust for a image tag. When content trust is enabled, you create the root key once. |
-| target and snapshot | These two keys are known together as the "repository" key. When content trust is enabled, you create this key when you add a new image repository. If you have the root key, you can export the repository key and allow other publishers to sign the image tags.    |
-| timestamp           | This key applies to a repository. It allows Docker repositories to have freshness security guarantees without requiring periodic content refreshes on the client's side.                                                                                                              |
-
-With the exception of the timestamp, all the keys are generated and stored locally
-client-side. The timestamp is safely generated and stored in a signing server that
-is deployed alongside the Docker registry. All keys are generated in a backend
-service that isn't directly exposed to the internet and are encrypted at rest.
+- an offline key that is the root of content trust for a image tag
+- repository or tagging keys that sign tags
+- server-managed keys such as the timestamp key, which provides freshness
+	security guarantees for your repository
 
 The following image depicts the various signing keys and their relationships:
 
@@ -133,9 +127,9 @@ The following image depicts the various signing keys and their relationships:
 >tag from this repository prior to the loss.
 
 You should backup the root key somewhere safe. Given that it is only required
-to create new repositories, it is a good idea to store it offline. Make sure you
-read [Manage keys for content trust](trust_key_mng.md) information
-for details on securing, and backing up your keys. 
+to create new repositories, it is a good idea to store it offline.
+For details on securing, and backing up your keys, make sure you
+read how to [manage keys for content trust](trust_key_mng.md).
 
 ## Survey of typical content trust operations
 
@@ -302,4 +296,5 @@ $  docker push --disable-content-trust docker/trusttest:untrusted
 
 * [Manage keys for content trust](trust_key_mng.md)
 * [Automation with content trust](trust_automation.md)
+* [Delegations for content trust](trust_delegation.md)
 * [Play in a content trust sandbox](trust_sandbox.md)
@@ -17,4 +17,5 @@ The following topics are available:
 * [Content trust in Docker](content_trust.md)
 * [Manage keys for content trust](trust_key_mng.md)
 * [Automation with content trust](trust_automation.md)
+* [Delegations for content trust](trust_delegation.md)
 * [Play in a content trust sandbox](trust_sandbox.md)
@@ -73,7 +73,8 @@ unable to process Dockerfile: No trust data for notrust
 
 ## Related information
 
-* [Content trust in Docker](content_trust.md) 
+* [Content trust in Docker](content_trust.md)
 * [Manage keys for content trust](trust_key_mng.md)
+* [Delegations for content trust](trust_delegation.md)
 * [Play in a content trust sandbox](trust_sandbox.md)