Delegation

README.md

@@ -65,6 +65,25 @@ Stages the removal of files with the given path(s) from the `targets` manifest
 (they get removed from the filesystem when the change is committed). Specifying
 no paths removes all files from the `targets` manifest.
 
+#### `dele-gen-key [--expires=<days>] <role>`
+
+Creates a new delegation role's key. Prompts the user for an encryption passphrase
+(unless the `--insecure-plaintext` flag is set), then generates a new signing key and
+writes it to the relevant key file in the `keys` directory. It also stages
+the addition of the new key to the `target` manifest.
+
+#### `dele-add <names>  [<path>...]`
+
+Hashes files in the `staged/targets` directory at the given path(s), then
+updates and stages the delegated target manifest. Specifying no paths hashes all
+files in the `staged/targets` directory.
+
+#### `dele-remove <name> [<path>...]`
+
+Stages the removal of files with the given path(s) from the certain non-top target manifest
+(they get removed from the filesystem when the change is committed). Specifying
+no paths removes all files from the certain non-top target manifest.
+
 #### `tuf snapshot [--compression=<format>]`
 
 Expects a staged, fully signed `targets` manifest and stages an appropriate
@@ -100,6 +119,11 @@ Removes all staged manifests and targets.
 Outputs a JSON serialized array of root keys to STDOUT. The resulting JSON
 should be distributed to clients for performing initial updates.
 
+#### `tuf target-keys`
+
+Outputs a JSON serialized array of target keys to STDOUT. The resulting JSON
+should be distributed to clients for performing initial updates.
+
 For a list of supported commands, run `tuf help` from the command line.
 
 ### Examples
@@ -152,6 +176,12 @@ Enter targets keys passphrase:
 Repeat targets keys passphrase:
 Generated targets key with ID 8cf4810c
 
+$ tuf dele-gen-key r01
+Enter r01 keys passphrase: 
+Repeat r01 keys passphrase: 
+Enter targets keys passphrase: 
+Generated r01 key with ID 4d6ddd68
+
 $ tuf gen-key snapshot
 Enter snapshot keys passphrase:
 Repeat snapshot keys passphrase:
@@ -165,12 +195,14 @@ Generated timestamp key with ID a3768063
 $ tree .
 .
 ├── keys
+│   ├── r01.json
 │   ├── snapshot.json
 │   ├── targets.json
 │   └── timestamp.json
 ├── repository
 └── staged
     ├── root.json
+    ├── targets.json
     └── targets
 ```
 
@@ -193,39 +225,49 @@ Enter root keys passphrase:
 The staged `root.json` can now be copied back to the repo box ready to be
 committed alongside other manifests.
 
-#### Add a target file
+#### Add target files
 
 Assuming a staged, signed `root` manifest and the file to add exists at
-`staged/targets/foo/bar/baz.txt`:
+`staged/targets/foo/bar/baz.txt` and `staged/targets/sin.txt`:
 
 ```
 $ tree .
 .
 ├── keys
+│   ├── r01.json
+│   ├── root.json
 │   ├── snapshot.json
 │   ├── targets.json
 │   └── timestamp.json
 ├── repository
 └── staged
     ├── root.json
     └── targets
+        ├── sin.txt
         └── foo
             └── bar
                 └── baz.txt
 
 $ tuf add foo/bar/baz.txt
 Enter targets keys passphrase:
 
+$tuf dele-add r01 sin.txt
+Enter r01 keys passphrase:
+
 $ tree .
 .
 ├── keys
+│   ├── r01.json
+│   ├── root.json
 │   ├── snapshot.json
 │   ├── targets.json
 │   └── timestamp.json
 ├── repository
 └── staged
+    ├── r01.json
     ├── root.json
     ├── targets
+    │   ├── sin.txt
     │   └── foo
     │       └── bar
     │           └── baz.txt
@@ -240,14 +282,17 @@ Enter timestamp keys passphrase:
 $ tree .
 .
 ├── keys
+│   ├── r01.json
 │   ├── snapshot.json
 │   ├── targets.json
 │   └── timestamp.json
 ├── repository
 └── staged
+    ├── r01.json
     ├── root.json
     ├── snapshot.json
     ├── targets
+    │   ├── sin.txt
     │   └── foo
     │       └── bar
     │           └── baz.txt
@@ -259,13 +304,17 @@ $ tuf commit
 $ tree .
 .
 ├── keys
+│   ├── r01.json
+│   ├── root.json
 │   ├── snapshot.json
 │   ├── targets.json
 │   └── timestamp.json
 ├── repository
+│   ├── r01.json
 │   ├── root.json
 │   ├── snapshot.json
 │   ├── targets
+│   │   ├── sin.txt
 │   │   └── foo
 │   │       └── bar
 │   │           └── baz.txt
@@ -274,21 +323,26 @@ $ tree .
 └── staged
 ```
 
-#### Remove a target file
+#### Remove target files
 
-Assuming the file to remove is at `repository/targets/foo/bar/baz.txt`:
+Assuming the file to remove is at `repository/targets/foo/bar/baz.txt`
+and `repository/targets/sin.txt`:
 
 ```
 $ tree .
 .
 ├── keys
+│   ├── r01.json
+│   ├── root.json
 │   ├── snapshot.json
 │   ├── targets.json
 │   └── timestamp.json
 ├── repository
+│   ├── r01.json
 │   ├── root.json
 │   ├── snapshot.json
 │   ├── targets
+│   │   ├── sin.txt
 │   │   └── foo
 │   │       └── bar
 │   │           └── baz.txt
@@ -299,22 +353,31 @@ $ tree .
 $ tuf remove foo/bar/baz.txt
 Enter targets keys passphrase:
 
+$tuf dele-remove r01 sin.txt
+Enter r01 keys passphrase:
+
 $ tree .
 .
 ├── keys
+│   ├── r01.json
+│   ├── root.json
 │   ├── snapshot.json
 │   ├── targets.json
 │   └── timestamp.json
 ├── repository
+│   ├── r01.json
 │   ├── root.json
 │   ├── snapshot.json
 │   ├── targets
+│   │   ├── sin.txt
 │   │   └── foo
 │   │       └── bar
 │   │           └── baz.txt
 │   ├── targets.json
 │   └── timestamp.json
 └── staged
+    ├── r01.json
+    ├── targets
     └── targets.json
 
 $ tuf snapshot
@@ -326,10 +389,13 @@ Enter timestamp keys passphrase:
 $ tree .
 .
 ├── keys
+│   ├── r01.json
+│   ├── root.json
 │   ├── snapshot.json
 │   ├── targets.json
 │   └── timestamp.json
 ├── repository
+│   ├── r01.json
 │   ├── root.json
 │   ├── snapshot.json
 │   ├── targets
@@ -339,6 +405,8 @@ $ tree .
 │   ├── targets.json
 │   └── timestamp.json
 └── staged
+    ├── r01.json
+    ├── targets
     ├── snapshot.json
     ├── targets.json
     └── timestamp.json
@@ -348,18 +416,22 @@ $ tuf commit
 $ tree .
 .
 ├── keys
+│   ├── r01.json
+│   ├── root.json
 │   ├── snapshot.json
 │   ├── targets.json
 │   └── timestamp.json
 ├── repository
+│   ├── r01.json
 │   ├── root.json
 │   ├── snapshot.json
 │   ├── targets.json
 │   └── timestamp.json
 └── staged
 ```
 
-#### Regenerate manifests based on targets tree
+#### Regenerate manifests based on targets tree 
+(Haven't finished yet)
 
 ```
 $ tree .
@@ -454,6 +526,7 @@ $ tree .
 ├── keys
 │   └── timestamp.json
 ├── repository
+│   ├── r01.json
 │   ├── root.json
 │   ├── snapshot.json
 │   ├── targets
@@ -472,6 +545,7 @@ $ tree .
 ├── keys
 │   └── timestamp.json
 ├── repository
+│   ├── r01.json
 │   ├── root.json
 │   ├── snapshot.json
 │   ├── targets
@@ -490,6 +564,7 @@ $ tree .
 ├── keys
 │   └── timestamp.json
 ├── repository
+│   ├── r01.json
 │   ├── root.json
 │   ├── snapshot.json
 │   ├── targets

client/interop_test.go

@@ -172,14 +172,13 @@ func (t *testCase) runStep(c *C, stepName string, init bool) {
 	c.Assert(err, IsNil)
 	c.Assert(util.TargetFileMetaEqual(file, meta), IsNil)
 
+	c.Log(t.targets)
 	// download the files and check they have the correct content
-	for name, data := range t.targets {
-		for _, prefix := range []string{"", "/"} {
-			var dest testDestination
-			c.Assert(client.Download(prefix+name, &dest), IsNil)
-			c.Assert(dest.deleted, Equals, false)
-			c.Assert(dest.String(), Equals, string(data))
-		}
+	for _, prefix := range []string{"", "/"} {
+		var dest testDestination
+		c.Assert(client.Download(prefix+targetName, &dest), IsNil)
+		c.Assert(dest.deleted, Equals, false)
+		c.Assert(dest.String(), Equals, string(data))
 	}
 }
 

client/testdata/go-tuf/consistent-snapshot-false/0/repository/snapshot.json

@@ -2,7 +2,7 @@
 	"signatures": [
 		{
 			"keyid": "289e5a9e71afd7909326aa4caea92f7557ee0e2283d8c31f0c3401ce67248a45",
-			"sig": "ead7e8f3a5717ef8316d36f13f870fa70c484a451ced93342b6cd8d52d91b9f49d88278c34b8fab14f6d127f9701e3f272d479794795f5bffc364bf3a441cb08"
+			"sig": "f938670ebfa77e0d5ed9e14b8f975ae8f1092c19f8a47bbec99fcb6259ba4fbcb69dcf8db86534f620b66681a4afa6d54a6f1d62b90301194c27c0664bc64a00"
 		}
 	],
 	"signed": {
@@ -18,9 +18,9 @@
 			},
 			"targets.json": {
 				"hashes": {
-					"sha512": "e0dd9a3833d117cd7bb6fdaae8923d5bda0661cb242be067813bfec3114d83943230b8bb7fcbf093a15d5840f1ecd969f44d3df13e2045d3fb7d22903fbc1bf5"
+					"sha512": "0f7aa68c338c27c00f83713965452237cfc83faf679546d3e21559492d9d382d36a3bfb8465342570de8abc703aad607c07c28d3d6e24745914e5aa445642b61"
 				},
-				"length": 588,
+				"length": 617,
 				"version": 1
 			}
 		},

client/testdata/go-tuf/consistent-snapshot-false/0/repository/targets.json

@@ -2,12 +2,14 @@
 	"signatures": [
 		{
 			"keyid": "808aa256a8172bb0cb961767c6768e55ccf732c99afccc6145752d7a328b7937",
-			"sig": "4d5c3a5da43f3792d077c1128fa28585982ff2957fae59be02a831fc920d0b91cbeaa99fd6c15066ec4da8bf12f993440a90d1624fd7b0a68070e5d60ed2500f"
+			"sig": "5b27c3637faed11eb96662b2801a06045afbd4500d4f4e40c3c2a7d06dd578a33fa5fdf785f23550286d395d48c5cfbd862aec3d2da62e579192bdeda862ee09"
 		}
 	],
 	"signed": {
 		"_type": "targets",
 		"expires": "2100-01-01T00:00:00Z",
+		"keys": {},
+		"roles": {},
 		"spec_version": "1.0",
 		"targets": {
 			"0": {

client/testdata/go-tuf/consistent-snapshot-false/0/repository/timestamp.json

@@ -2,7 +2,7 @@
 	"signatures": [
 		{
 			"keyid": "aa3255b4e8e17e566d2bdbea0e5842978f9fa1d2fa9ec76ae76b146164acbfc8",
-			"sig": "f21f0edf928c8683ad5751ee7e79cbc3eb8c340ae418d93bcda1710c4a8ad0c858576b0d662db20128db2eabf2d4cec1b9babfc71e4171e501981a11f5c6d10f"
+			"sig": "75e1adbaa4ba18441ef3e350894b3df46b2b35d41de7381534969a2868dfd055157b1d91c1d9a3e744688598dc011f6e74183ec7ac623e05692fec9ef847b304"
 		}
 	],
 	"signed": {
@@ -11,7 +11,7 @@
 		"meta": {
 			"snapshot.json": {
 				"hashes": {
-					"sha512": "f4c7e7bc04b386d303f23579ff32f9380831c0ca993974c7e2a40e6ee0eb51f392e315f09cf807a8c09d1b5a0a30bca27b81736d9522af2fd951dd8413eec4a5"
+					"sha512": "3a63c824a494d96a59358d20c901332422c7404e2a217f8f3c98fee0f9489da5fc8e4b59665dd1d53aa508794a26812bf7c42e38077db58640febc7d3e41aaa3"
 				},
 				"length": 847,
 				"version": 1