From ada21154e9f96cdf1d02d096174344b53769d1f7 Mon Sep 17 00:00:00 2001
From: Lewis Marshall <lewis@lmars.net>
Date: Wed, 10 Feb 2016 15:18:52 +0000
Subject: [PATCH] client: Always initialize keys DB from local storage

If the local root is expired, an update will download the latest root
from remote storage, and we need to be able to verify that new root with
the local keys.

Signed-off-by: Lewis Marshall <lewis@lmars.net>
---
 client/client.go      | 9 ++++-----
 client/client_test.go | 2 ++
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/client/client.go b/client/client.go
index 37397ac6..1e1de2ee 100644
--- a/client/client.go
+++ b/client/client.go
@@ -267,22 +267,21 @@ func (c *Client) getLocalMeta() error {
 		if err := json.Unmarshal(s.Signed, root); err != nil {
 			return err
 		}
-		db := keys.NewDB()
+		c.db = keys.NewDB()
 		for id, k := range root.Keys {
-			if err := db.AddKey(id, k); err != nil {
+			if err := c.db.AddKey(id, k); err != nil {
 				return err
 			}
 		}
 		for name, role := range root.Roles {
-			if err := db.AddRole(name, role); err != nil {
+			if err := c.db.AddRole(name, role); err != nil {
 				return err
 			}
 		}
-		if err := signed.Verify(s, "root", 0, db); err != nil {
+		if err := signed.Verify(s, "root", 0, c.db); err != nil {
 			return err
 		}
 		c.consistentSnapshot = root.ConsistentSnapshot
-		c.db = db
 	} else {
 		return ErrNoRootKeys
 	}
diff --git a/client/client_test.go b/client/client_test.go
index af999bf3..c109dce9 100644
--- a/client/client_test.go
+++ b/client/client_test.go
@@ -531,6 +531,8 @@ func (s *ClientSuite) TestUpdateLocalRootExpired(c *C) {
 		if _, ok := err.(signed.ErrExpired); !ok {
 			c.Fatalf("expected err to have type signed.ErrExpired, got %T", err)
 		}
+
+		client := NewClient(s.local, s.remote)
 		_, err = client.Update()
 		c.Assert(err, IsNil)
 	})