Support deprecating old root keys after rotation

[ecordell]

This adds support for root key rotation as described in #835.

Previously, old root keys needed to sign for all subsequent root.json files in perpetuity. This changes root rotation so that new keys are trusted if signed by the previous root key/threshold. To support this behavior, root files can now be requested by version number from the server.

This also adds an additional command line flag for rotate, --key, which allows specifying keys to rotate the root to. This supports specifying multiple keys, but all must be available to sign locally (i.e. this doesn't support threshold/witness behavior at the moment).

Example:

# test/collection root.json signed by A, B
$ notary key rotate test/collection root --key=C --key=D
# test/collection root.json now signed by A, B, C, D
$ notary key rotate test/collection root --key=E
# test/collection root.json now signed by C, D, E

Closes #1014
Closes #835

[docker-jenkins]

Can one of the admins verify this patch?

[HuKeping]

would you mind if moving this package up to those canonical packages

[ecordell]

Will do - could've sworn gofmt does this for you.

[riyazdf]

can we document what keyList is in the function description?

[riyazdf]

thanks @ecordell for your work on this! I have a couple of things:

• I want to echo my comment about whether we should allow non-root roles to rotate to multiple keys -- it's fine with me but if so we should make sure it's adequately tested in unit and integration tests. I'm also fine with leaving the scope of this PR to only root-roles and expanding on this later.
• nit: can we rename the PR to something like Support specifying specific keys on root rotation? It's a little confusing because root key rotation is technically already supported :)

[ecordell]

@riyazdf thanks for taking a look!

1. Responded inline, but currently this will fail for non-root roles because the non-root keys are not generally encrypted. I dislike that this is an implicit restriction so I think we should choose one way or the other and I'll update.
2. I'll update the title

[cyli]

This function can probably be removed too.

[cyli]

This function can probably be removed too.

[cyli]

This function can probably be removed too.

[cyli]

This function can probably be removed too.

[cyli]

@ecordell
Thanks for adding the version skip test! (2) TestRootRoleInvariant tests that the latest root does not validate, but not intermediate downloaded roots, and (3) TestUpdateFailsIfServerRootKeyChangedWithoutMultiSign tests that if the cached root is expired, then an update succeeds so long as the new root is valid.

We were thinking for (3) something like having the local cache at v1 (either expired or not), and downloading an expired v2 and a valid v3? It should successfully update to v3.

Similarly for (2), except v2 is not properly rotated. The only reason being because some checks are skipped for intermediate roots (like checksum and expiry), and this would validate that the root signing is validated for the intermediate roots.

[ecordell]

@cyli I gotcha - I added those extra tests to be safe, thanks for clarifying.

I also removed those other GetKeyInfo methods - somehow I missed them, sorry about that.

[cyli]

@ecordell Thanks for adding them!

I also removed those other GetKeyInfo methods - somehow I missed them, sorry about that.

Not at all, easy to lose track :)

[cyli]

jenkins, test this please

[cyli]

LGTM! Thank you so much for all your work and patience on this @ecordell!

[ecordell]

Thanks! I've rebased on master, so hopefully everything will be good shortly.

[cyli]

Jenkins, test this please

[endophage]

Followup PR: I think we can remove this function. I don't think it's used anywhere with the new root rotation logic.

[endophage]

LGTM.

@ecordell thank you for all the hard work and perseverance on this. Conceptually and concretely I think this root rotation methodology is an outstanding improvement to both the TUF spec and Notary.

[riyazdf]

couple of nits between myself and @endophage's comment that can be followed up in a subsequent PR.

Overall LGTM, thank you for continuously working through this PR! 🎉

[riyazdf]

followup PR: I'm pretty happy with this function but would like to add some unit tests around overly large or negative legacyVersions and the skipping logic

[HuKeping]

Thanks for your patience and great work on this @ecordell !

[ecordell]

Thanks for all of the reviews! I can't merge myself if someone with write access would like to :) Glad to finally have this wrapped up.