vendor: github.com/theupdateframework/notary v0.7.0

update the dependency to v0.7.0 to be closer to what docker/cli uses;
https://github.com/theupdateframework/notary/compare/v0.6.1...v0.7.0

Note that docker/cli is slightly ahead of v0.7.0, and uses bf96a202a09a;
https://github.com/theupdateframework/notary/compare/v0.7.0...bf96a202a09a

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

vendor/github.com/theupdateframework/notary/tuf/builder.go

@@ -359,7 +359,7 @@ func (rb *repoBuilder) GenerateSnapshot(prev *data.SignedSnapshot) ([]byte, int,
 
 	// loadedNotChecksummed should currently contain the root awaiting checksumming,
 	// since it has to have been loaded.  Since the snapshot was generated using
-	// the root and targets data (there may not be any) that that have been loaded,
+	// the root and targets data (there may not be any) that have been loaded,
 	// remove all of them from rb.loadedNotChecksummed
 	for tgtName := range rb.repo.Targets {
 		delete(rb.loadedNotChecksummed, data.RoleName(tgtName))

vendor/github.com/theupdateframework/notary/tuf/data/keys.go

@@ -12,9 +12,9 @@ import (
 	"io"
 	"math/big"
 
-	"github.com/agl/ed25519"
 	"github.com/docker/go/canonical/json"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/crypto/ed25519"
 )
 
 // PublicKey is the necessary interface for public keys
@@ -484,9 +484,10 @@ func (k RSAPrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts)
 
 // Sign creates an ed25519 signature
 func (k ED25519PrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error) {
-	priv := [ed25519.PrivateKeySize]byte{}
-	copy(priv[:], k.private[ed25519.PublicKeySize:])
-	return ed25519.Sign(&priv, msg)[:], nil
+	priv := make([]byte, ed25519.PrivateKeySize)
+	// The ed25519 key is serialized as public key then private key, so just use private key here.
+	copy(priv, k.private[ed25519.PublicKeySize:])
+	return ed25519.Sign(ed25519.PrivateKey(priv), msg)[:], nil
 }
 
 // Sign on an UnknownPrivateKey raises an error because the client does not

vendor/github.com/theupdateframework/notary/tuf/data/roles.go

@@ -55,7 +55,7 @@ func (e ErrInvalidRole) Error() string {
 
 // ValidRole only determines the name is semantically
 // correct. For target delegated roles, it does NOT check
-// the the appropriate parent roles exist.
+// the appropriate parent roles exist.
 func ValidRole(name RoleName) bool {
 	if IsDelegation(name) {
 		return true

vendor/github.com/theupdateframework/notary/tuf/data/snapshot.go

@@ -59,7 +59,7 @@ func IsValidSnapshotStructure(s Snapshot) error {
 	return nil
 }
 
-// NewSnapshot initilizes a SignedSnapshot with a given top level root
+// NewSnapshot initializes a SignedSnapshot with a given top level root
 // and targets objects
 func NewSnapshot(root *Signed, targets *Signed) (*SignedSnapshot, error) {
 	logrus.Debug("generating new snapshot...")

vendor/github.com/theupdateframework/notary/tuf/data/targets.go

@@ -54,7 +54,7 @@ func isValidTargetsStructure(t Targets, roleName RoleName) error {
 	return nil
 }
 
-// NewTargets intiializes a new empty SignedTargets object
+// NewTargets initializes a new empty SignedTargets object
 func NewTargets() *SignedTargets {
 	return &SignedTargets{
 		Signatures: make([]Signature, 0),

vendor/github.com/theupdateframework/notary/tuf/data/types.go

@@ -186,7 +186,7 @@ type FileMeta struct {
 
 // Equals returns true if the other FileMeta object is equivalent to this one
 func (f FileMeta) Equals(o FileMeta) bool {
-	if o.Length != f.Length || len(f.Hashes) != len(f.Hashes) {
+	if o.Length != f.Length || len(o.Hashes) != len(f.Hashes) {
 		return false
 	}
 	if f.Custom == nil && o.Custom != nil || f.Custom != nil && o.Custom == nil {

vendor/github.com/theupdateframework/notary/tuf/signed/interface.go

@@ -39,7 +39,7 @@ type CryptoService interface {
 	KeyService
 }
 
-// Verifier defines an interface for verfying signatures. An implementer
+// Verifier defines an interface for verifying signatures. An implementer
 // of this interface should verify signatures for one and only one
 // signing scheme.
 type Verifier interface {

vendor/github.com/theupdateframework/notary/tuf/signed/sign.go

@@ -87,7 +87,8 @@ func Sign(service CryptoService, s *data.Signed, signingKeys []data.PublicKey,
 		})
 	}
 
-	for _, sig := range s.Signatures {
+	for i := range s.Signatures {
+		sig := s.Signatures[i]
 		if _, ok := signingKeyIDs[sig.KeyID]; ok {
 			// key is in the set of key IDs for which a signature has been created
 			continue

vendor/github.com/theupdateframework/notary/tuf/signed/verifiers.go

@@ -10,9 +10,9 @@ import (
 	"fmt"
 	"math/big"
 
-	"github.com/agl/ed25519"
 	"github.com/sirupsen/logrus"
 	"github.com/theupdateframework/notary/tuf/data"
+	"golang.org/x/crypto/ed25519"
 )
 
 const (
@@ -39,26 +39,26 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro
 	if key.Algorithm() != data.ED25519Key {
 		return ErrInvalidKeyType{}
 	}
-	var sigBytes [ed25519.SignatureSize]byte
+	sigBytes := make([]byte, ed25519.SignatureSize)
 	if len(sig) != ed25519.SignatureSize {
 		logrus.Debugf("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig))
 		return ErrInvalid
 	}
-	copy(sigBytes[:], sig)
+	copy(sigBytes, sig)
 
-	var keyBytes [ed25519.PublicKeySize]byte
+	keyBytes := make([]byte, ed25519.PublicKeySize)
 	pub := key.Public()
 	if len(pub) != ed25519.PublicKeySize {
 		logrus.Errorf("public key is incorrect size, must be %d, was %d.", ed25519.PublicKeySize, len(pub))
 		return ErrInvalidKeyLength{msg: fmt.Sprintf("ed25519 public key must be %d bytes.", ed25519.PublicKeySize)}
 	}
-	n := copy(keyBytes[:], key.Public())
+	n := copy(keyBytes, key.Public())
 	if n < ed25519.PublicKeySize {
 		logrus.Errorf("failed to copy the key, must have %d bytes, copied %d bytes.", ed25519.PublicKeySize, n)
 		return ErrInvalid
 	}
 
-	if !ed25519.Verify(&keyBytes, msg, &sigBytes) {
+	if !ed25519.Verify(ed25519.PublicKey(keyBytes), msg, sigBytes) {
 		logrus.Debugf("failed ed25519 verification")
 		return ErrInvalid
 	}

vendor/github.com/theupdateframework/notary/tuf/utils/pkcs8.go

@@ -39,7 +39,7 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha1"
+	"crypto/sha1" // #nosec
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"

vendor/github.com/theupdateframework/notary/tuf/utils/utils.go

@@ -30,7 +30,7 @@ func RoleNameSliceContains(ss []data.RoleName, s data.RoleName) bool {
 	return false
 }
 
-// RoleNameSliceRemove removes the the given RoleName from the slice, returning a new slice
+// RoleNameSliceRemove removes the given RoleName from the slice, returning a new slice
 func RoleNameSliceRemove(ss []data.RoleName, s data.RoleName) []data.RoleName {
 	res := []data.RoleName{}
 	for _, v := range ss {

vendor/github.com/theupdateframework/notary/tuf/utils/x509.go

@@ -16,10 +16,10 @@ import (
 	"math/big"
 	"time"
 
-	"github.com/agl/ed25519"
 	"github.com/sirupsen/logrus"
 	"github.com/theupdateframework/notary"
 	"github.com/theupdateframework/notary/tuf/data"
+	"golang.org/x/crypto/ed25519"
 )
 
 // CanonicalKeyID returns the ID of the public bytes version of a TUF key.