From 7a845ae2645a1ee7b3bf53c778766b4d5d6100c5 Mon Sep 17 00:00:00 2001
From: Vladimir Diaz <vladimir.v.diaz@gmail.com>
Date: Mon, 5 Feb 2018 17:20:13 -0500
Subject: [PATCH 1/2] Add --sign command-line option

Signed-off-by: Vladimir Diaz <vladimir.v.diaz@gmail.com>
---
 tuf/scripts/repo.py | 56 +++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 54 insertions(+), 2 deletions(-)

diff --git a/tuf/scripts/repo.py b/tuf/scripts/repo.py
index cea3c267..1a6fd164 100755
--- a/tuf/scripts/repo.py
+++ b/tuf/scripts/repo.py
@@ -25,6 +25,7 @@
 <Usage>
   $ repo.py --init [--consistent_snapshot, --bare, --path]
   $ repo.py --add <target> <dir> ... [--path, --recursive]
+  $ repo.py --sign </path/to/key> --role <targets>
   $ repo.py --verbose
   $ repo.py --clean [--path]
 """
@@ -53,7 +54,7 @@
 import securesystemslib
 
 # See 'log.py' to learn how logging is handled in TUF.
-logger = logging.getLogger('tuf.script.repo')
+logger = logging.getLogger('tuf.scripts.repo')
 
 repo_tool.disable_console_log_messages()
 
@@ -102,7 +103,7 @@ def process_arguments(parsed_arguments):
     logger.debug('We have a valid argparse Namespace: ' + repr(parsed_arguments))
 
   # TODO: Process all of the supported command-line actions.  --init, --clean,
-  # --add are currently implemented.
+  # --add, --sign are currently implemented.
   if parsed_arguments.init:
     init_repo(parsed_arguments)
 
@@ -112,6 +113,53 @@ def process_arguments(parsed_arguments):
   if parsed_arguments.add:
     add_targets(parsed_arguments)
 
+  if parsed_arguments.sign:
+    sign_role(parsed_arguments)
+
+
+
+def sign_role(parsed_arguments):
+
+  repository = repo_tool.load_repository(
+      os.path.join(parsed_arguments.path, REPO_DIR))
+
+  # Was a private key path given with --sign?  If so, load the specified
+  # private key. Otherwise, load the default key path.
+  if parsed_arguments.sign != '.':
+    role_privatekey = repo_tool.import_ecdsa_privatekey_from_file(
+        parsed_arguments.sign)
+
+  else:
+    role_privatekey = repo_tool.import_ecdsa_privatekey_from_file(
+        os.path.join(parsed_arguments.path, KEYSTORE_DIR, TARGETS_KEY_NAME),
+        parsed_arguments.pw)
+
+  if parsed_arguments.role == 'targets':
+    repository.targets.load_signing_key(role_privatekey)
+
+  elif parsed_arguments.role in ['snapshot', 'timestamp']:
+    pass
+
+  else:
+    repository.targets(parsed_arguments.role).load_signing_key(role_privatekey)
+
+  # Update the required top-level roles, Snapshot and Timestamp, to make a new
+  # release.
+  snapshot_private = repo_tool.import_ecdsa_privatekey_from_file(
+      os.path.join(parsed_arguments.path, KEYSTORE_DIR, SNAPSHOT_KEY_NAME),
+      parsed_arguments.pw)
+  timestamp_private = repo_tool.import_ecdsa_privatekey_from_file(
+      os.path.join(parsed_arguments.path, KEYSTORE_DIR,
+      TIMESTAMP_KEY_NAME), parsed_arguments.pw)
+
+  repository.snapshot.load_signing_key(snapshot_private)
+  repository.timestamp.load_signing_key(timestamp_private)
+
+  repository.writeall()
+
+  # Move staged metadata directory to "live" metadata directory.
+  write_to_live_repo()
+
 
 
 def clean_repo(parsed_arguments):
@@ -374,6 +422,10 @@ def parse_arguments():
       choices=[True, False], const=True, default=False,
       help='Specify whether a directory should be processed recursively.')
 
+  parser.add_argument('--sign', nargs='?', type=str, const='.',
+      default=None, help='Sign --role <rolename> (Targets role, if'
+      ' --role is unset) with the specified key.')
+
   parser.add_argument('--role', nargs='?', type=str, const='targets',
       default='targets', help='Specify a role.')
 

From c3b05a8e0542db518e7e3a75a8a2e93f006c3728 Mon Sep 17 00:00:00 2001
From: Vladimir Diaz <vladimir.v.diaz@gmail.com>
Date: Mon, 5 Feb 2018 17:20:31 -0500
Subject: [PATCH 2/2] Document --sign option in CLI.md

Signed-off-by: Vladimir Diaz <vladimir.v.diaz@gmail.com>
---
 docs/CLI.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/docs/CLI.md b/docs/CLI.md
index 52a3ee5e..7050e054 100644
--- a/docs/CLI.md
+++ b/docs/CLI.md
@@ -67,6 +67,29 @@ $ repo.py --add <foo.tar.gz> --path </path/to/my_repo>
 
 
 
+## Sign metadata ##
+Sign, using the specified key argument, the metadata of the role indicated by
+--role.  If no key argument or --role is given, the Targets role or its key is
+used.  The Snapshot and Timestamp role are also automatically signed, if
+possible.
+```Bash
+$ repo.py --sign
+$ repo.py --sign </path/to/key>
+$ repo.py --sign </path/to/key> [--role <rolename>]
+$ repo.py --sign </path/to/key> [--role <rolename>, --path </path/to/repo>]
+```
+
+For example, to sign a new Timestamp:
+```Bash
+$ repo.py --sign /path/to/timestamp_key --role timestamp
+```
+
+Note: In the future, the user might be given the option of disabling automatic
+signing of Snapshot and Timestamp metadata.  Also, only ECDSA keys are
+presently supported, but other key types will be added.
+
+
+
 ## Verbosity ##
 
 Set the verbosity of the logger (2, by default).  Logger messages are saved to
@@ -75,6 +98,8 @@ Set the verbosity of the logger (2, by default).  Logger messages are saved to
 $ repo.py --verbose <0-5>
 ```
 
+
+
 ## Clean ##
 
 Remove the files created via `repo.py --init`.