Finished release 0.4.0.

CHANGELOG.md

@@ -1,5 +1,29 @@
 # Changelog
 
+## [v0.4.0](https://github.com/docker/notary/releases/tag/v0.4.0) 8/11/2016
++ Server-managed key rotations [#889](https://github.com/docker/notary/pull/889)
++ Remove `timestamp_keys` table, which stored redundant information [#889](https://github.com/docker/notary/pull/889)
++ Introduce `notary delete` command to delete local and/or remote repo data [#895](https://github.com/docker/notary/pull/895)
++ Introduce `notary witness` command to stage signatures for specified roles [#875](https://github.com/docker/notary/pull/875)
++ Add `-p` flag to offline commands to attempt auto-publish [#886](https://github.com/docker/notary/pull/886) [#912](https://github.com/docker/notary/pull/912) [#923](https://github.com/docker/notary/pull/923)
++ Introduce `notary reset` command to manage staged changes [#959](https://github.com/docker/notary/pull/959) [#856](https://github.com/docker/notary/pull/856)
++ Add `--rootkey` flag to `notary init` to provide a private root key for a repo [#801](https://github.com/docker/notary/pull/801)
++ Introduce `notary delegation purge` command to remove a specified key from all delegations [#855](https://github.com/docker/notary/pull/855)
++ Removed HTTP endpoint from notary-signer [#870](https://github.com/docker/notary/pull/870)
++ Refactored and unified key storage [#825](https://github.com/docker/notary/pull/825)
++ Batched key import and export now operate on PEM files (potentially with multiple blocks) instead of ZIP [#825](https://github.com/docker/notary/pull/825) [#882](https://github.com/docker/notary/pull/882)
++ Add full database integration test-suite [#824](https://github.com/docker/notary/pull/824) [#854](https://github.com/docker/notary/pull/854) [#863](https://github.com/docker/notary/pull/863)
++ Improve notary-server, trust pinning, and yubikey logging [#798](https://github.com/docker/notary/pull/798) [#858](https://github.com/docker/notary/pull/858) [#891](https://github.com/docker/notary/pull/891)
++ Warn if certificates for root or delegations are near expiry [#802](https://github.com/docker/notary/pull/802)
++ Warn if role metadata is near expiry [#786](https://github.com/docker/notary/pull/786)
++ Reformat CLI table output to use the `text/tabwriter` package [#809](https://github.com/docker/notary/pull/809)
++ Fix passphrase retrieval attempt counting and terminal detection [#906](https://github.com/docker/notary/pull/906)
++ Fix listing nested delegations [#864](https://github.com/docker/notary/pull/864)
++ Bump go version to 1.6.3, fix go1.7 compatibility [#851](https://github.com/docker/notary/pull/851) [#793](https://github.com/docker/notary/pull/793)
++ Convert docker-compose files to v2 format [#755](https://github.com/docker/notary/pull/755)
++ Validate root rotations against trust pinning [#800](https://github.com/docker/notary/pull/800)
++ Update fixture certificates for two-year expiry window [#951](https://github.com/docker/notary/pull/951)
+
 ## [v0.3.0](https://github.com/docker/notary/releases/tag/v0.3.0) 5/11/2016
 + Root rotations
 + RethinkDB support as a storage backend for Server and Signer

Makefile

@@ -107,7 +107,7 @@ endif
 	@test -z "$$(go tool vet -printf=false . 2>&1 | grep -v vendor/ | tee /dev/stderr)"
 	# misspell - requires that the following be run first:
 	#    go get -u github.com/client9/misspell/cmd/misspell
-	@test -z "$$(find . -name '*' | grep -v vendor/ | grep -v bin/ | grep -v misc/ | grep -v .git/ | grep -v \.pdf | xargs misspell | tee /dev/stderr)"
+	@test -z "$$(find . -type f | grep -v vendor/ | grep -v bin/ | grep -v misc/ | grep -v .git/ | grep -v \.pdf | xargs misspell | tee /dev/stderr)"
 	# ineffassign - requires that the following be run first:
 	#    go get -u github.com/gordonklaus/ineffassign
 	@test -z "$(shell find . -type f -name "*.go" -not -path "./vendor/*" -not -name "*.pb.*" -exec ineffassign {} \; | tee /dev/stderr)"
@@ -126,7 +126,7 @@ test:
 	go test -tags "${NOTARY_BUILDTAGS}" $(TESTOPTS) $(PKGS)
 
 integration: TESTDB = mysql
-integration:
+integration: clean
 	buildscripts/integrationtest.sh $(TESTDB)
 
 testdb: TESTDB = mysql
@@ -192,8 +192,7 @@ shell: notary-dockerfile
 
 cross: notary-dockerfile
 	@rm -rf $(CURDIR)/cross
-	docker run --rm -v $(CURDIR)/cross:$(NOTARYDIR)/cross -e NOTARY_BUILDTAGS=$(NOTARY_BUILDTAGS) notary buildscripts/cross.sh $(GOOSES)
-
+	docker run --rm -v $(CURDIR)/cross:$(NOTARYDIR)/cross -e CTIMEVAR="${CTIMEVAR}" -e NOTARY_BUILDTAGS=$(NOTARY_BUILDTAGS) notary buildscripts/cross.sh $(GOOSES)
 
 clean:
 	@echo "+ $@"

NOTARY_VERSION

@@ -1 +1 @@
-0.3
+0.4

buildscripts/cross.sh

@@ -1,5 +1,10 @@
 #!/usr/bin/env bash
 
+# This script cross-compiles static (when possible) binaries for supported OS's
+# architectures.  The Linux binary is completely static, whereas Mac OS binary
+# has libtool statically linked in. but is otherwise not static because you
+# cannot statically link to system libraries in Mac OS.
+
 GOARCH="amd64"
 
 if [[ "${NOTARY_BUILDTAGS}" == *pkcs11* ]]; then
@@ -15,19 +20,23 @@ for os in "$@"; do
 	if [[ "${GOOS}" == "darwin" ]]; then
 		export CC="o64-clang"
 		export CXX="o64-clang++"
-		# -ldflags=-s:  see https://github.com/golang/go/issues/11994
-		export LDFLAGS="${GO_LDFLAGS} -ldflags=-s"
+		# -ldflags=-s:  see https://github.com/golang/go/issues/11994 - TODO: this has been fixed in go 1.7.1
+		# darwin binaries can't be compiled to be completely static with the -static flag
+		LDFLAGS="-s"
 	else
 		unset CC
 		unset CXX
-		LDFLAGS="${GO_LDFLAGS}"
+		LDFLAGS="-extldflags -static"
 	fi
 
 	mkdir -p "${NOTARYDIR}/cross/${GOOS}/${GOARCH}";
+
+	set -x;
 	go build \
 		-o "${NOTARYDIR}/cross/${GOOS}/${GOARCH}/notary" \
 		-a \
 		-tags "${NOTARY_BUILDTAGS}" \
-		${LDFLAGS} \
+		-ldflags "-w ${CTIMEVAR} ${LDFLAGS}"  \
 		./cmd/notary;
+	set +x;
 done

misc/dockertest.py → buildscripts/dockertest.py

@@ -12,6 +12,7 @@
 import re
 import shutil
 import subprocess
+import tarfile
 from tempfile import mkdtemp
 from time import sleep, time
 import urllib
@@ -23,17 +24,13 @@
 # binary name) for these if you do not want them downloaded, otherwise these
 # can be ignored.  Up to you to make sure you are running the correct daemon
 # version.
-DOCKERS = {
-    "1.8": "docker-1.8.3",
-    "1.9": "docker-1.9.1",
-    "1.10": "docker",
-}
+DOCKERS = {}
 
 # delete any of these if you want to specify the docker binaries yourself
 DOWNLOAD_DOCKERS = {
-    "1.8": ("https://get.docker.com", "docker-1.8.3"),
-    "1.9": ("https://get.docker.com", "docker-1.9.1"),
-    "1.10": ("https://get.docker.com", "docker-1.10.3")
+    "1.10": ("https://get.docker.com", "docker-1.10.3"),
+    "1.11": ("https://get.docker.com", "docker-1.11.2"),
+    "1.12": ("https://get.docker.com", "docker-1.12.0"),
 }
 
 # please replace with private registry if you want to test against a private
@@ -81,15 +78,40 @@ def download_docker(download_dir="/tmp"):
     downloadfile = urllib.URLopener()
     for version in DOWNLOAD_DOCKERS:
         domain, binary = DOWNLOAD_DOCKERS[version]
-        filename = os.path.join(download_dir, binary)
-        if not os.path.isfile(filename):
+        tarfilename = os.path.join(download_dir, binary+".tgz")
+        extractdir = os.path.join(download_dir, binary)
+
+        DOCKERS[version] = os.path.join(extractdir, "docker")
+
+        # we already have that version
+        if os.path.isfile(os.path.join(extractdir, "docker")):
+            continue
+
+        if not os.path.isdir(extractdir):
+            os.makedirs(extractdir)
+
+        if not os.path.isfile(tarfilename):
             url = urljoin(
-                domain, "/".join(["builds", system, architecture, binary]))
+                # as of 1.10 docker downloads are tar-ed due to potentially containing containerd etc.
+                # note that for windows (which we don't currently support), it's a .zip file
+                domain, "/".join(["builds", system, architecture, binary+".tgz"]))
             print("Downloading", url)
-            downloadfile.retrieve(url, filename)
+            downloadfile.retrieve(url, tarfilename)
+
+        with tarfile.open(tarfilename, 'r:gz') as tf:
+            for member in tf.getmembers():
+                if not member.isfile():
+                    continue
+
+                archfile = tf.extractfile(member)
+                fname = os.path.join(extractdir, os.path.basename(member.name))
+                with open(fname, 'wb') as writefile:
+                    writefile.write(archfile.read())
+                os.chmod(fname, 0755)
+
+        if not os.path.isfile(DOCKERS[version]):
+            raise Exception("Extracted {0} to {1} but could not find {1}".format(tarfilename, extractdir, filename))
 
-        os.chmod(filename, 0755)
-        DOCKERS[version] = filename
 
 def setup():
     """
@@ -249,7 +271,7 @@ def push(fout, docker_version, image, tag):
 
     # tag image with the docker version
     run_cmd(
-        "{0} tag -f alpine {1}:{2}".format(DOCKERS[docker_version], image, tag),
+        "{0} tag alpine {1}:{2}".format(DOCKERS[docker_version], image, tag),
         fout)
 
     # push!
@@ -260,7 +282,7 @@ def push(fout, docker_version, image, tag):
     size = _SIZE_REGEX.search(output).group(1)
 
     # sleep for 1s after pushing, just to let things propagate :)
-    time.sleep(1)
+    sleep(1)
 
     # list
     targets = notary_list(fout, image)