ouch -- 7,239 additions and 1,854 deletions.
Someone's been busy!

the commits are separated to make it easier

Ping @tianon there are various parts about this that I hate that I hope you have a better solution for but the 2 biggest ones: 

1. How to have a dependency in the deb for only experimental, I kinda like how I did it w the rpm but unsure how to do something like that w a control file
2. We need a latest clang version for compiling and avoiding clang warnings but as you can see their packages don't alias clang-3.8 as /usr/bin/clang 😞

Such struggles w this one I hate it all a bit myself

yes i know I have informed them

@jfrazelle does the software actually shell out to yubico-piv-tool? I don't think our dependency on it is quite at the level of Recommends, since it's not actually required for most users, but Suggests sounds pretty appropriate (https://www.debian.org/doc/debian-policy/ch-relationships.html#s-binarydeps for reference).

Until it moves out of experimental, we could do something like we do with putting apparmor into Recommends; ie, https://github.com/docker/docker/blob/9c6e3396ef7ba44837ffaede0345ab3a105e8116/hack/make/.build-deb/rules#L6-L7, so something like:

    echo 'yubico:Suggests=$(shell [ "$DOCKER_EXPERIMENTAL" ] && echo yubico-piv-tool)' >> debian/docker-engine.substvars

there in override_dh_gencontrol and Suggests: ${yubico:Suggests} over in debian/control like https://github.com/docker/docker/blob/9c6e3396ef7ba44837ffaede0345ab3a105e8116/hack/make/.build-deb/control#L15

Is this a tool users of a Yubi are likely to have installed for other Yubi things, or is it something more specific to the way we use the Yubi inside Notary?

Also, if the tool isn't installed and a user attempts to use it for something within Docker, does a nice error message bubble up to the level of the client?

It dlopens an so file or dylib depending on architecture so I think recommends? Or whatever you think is best

It includes the so

Shit I think it's their deb package that it's in... :( this could be a problem because we were going to have to build these and I wasn't planning on building that one

Because we have to have version 1.1.0

Let me look into the lib one making a patch for it so we can get 1.1.0 on like wheezy and jessie etc

So close to flipping a table this entire PR is a gigantic nightmare

FWIW the rpm installs the so :( so that ones correct

This one is what I was going to package for our repo 

https://github.com/Yubico/yubico-piv-tool-dpkg
With https://github.com/jfrazelle/repo-pkg

@tianon @jfrazelle the yubico-piv-tool is actually necessary for anyone that wishes to check the mode on their yubikey/operate on keys (list, delete, etc)/advanced use cases not covered by docker. I would say that Recommend seems appropriate in this case.

This is something that we can change in the future, as more functionality to manage yubikeys is added onto docker and notary, but for now this seems like the only way to have a decent experience with the yubikeys.

Also, the use of pkcs11 is best-effort, if no .so's are found, notary silently ignores it.

ok updated w windows fix and also tianons suggestions :) way better than the gross thing i did w install.sh

also updated packagers.md

Very minimal changes to engine side +1
Reviewed vendored in changes, seems OK (nothing horrendous stands out) +1
Tested trusted push/pull functionality (minus yubikey) +1
Tested trusted push/pull going back to 1.9.0 client +1

Soft LGTM

@cpuguy83 I have one for you. You can test it in Barcelona :)

I've tested the following cases, both with a mac binary that I built on a mac using the same method as homebrew, and with a mac binary that @diogomonica built on linux using make cross.

• pull/push with yubikey and DOCKER_CONTENT_TRUST=1
• pull/push without yubikey and DOCKER_CONTENT_TRUST=1
• push/pull without DOCKER_CONTENT_TRUST

Have not tested on Linux. LGTM as far as macs are concerned :)

Tested pushing and key rotation with yubikey and all seemed to work. LGTM (no review of the packaging).

@tianon would love your explicit LGTM, since this involves building magic.

You need mine too ;)

@jfrazelle would love your explicit LGTM, since this involves building magic.

@diogomonica 🤘

I won't say how long it took me to find that emoji keyword.

LGTM

I really wish this PR could've been in smaller chunks -- it's very hard to review being so massive. 😢

(I almost didn't even look at c86517e557c93c8cbb26305704d91409dd207e39 because it didn't sound related to building, but glad I did.)

yeah sorry I specifically hated the sym,ink of clang in that one :(

there are def aspects of this PR I hate, it blows

Ok, latest iteration LGTM

No docs required as far as I can tell.