From 1666ac50fe9d8c734640eb913f128b6813d65190 Mon Sep 17 00:00:00 2001
From: Jake Moshenko <jake.moshenko@coreos.com>
Date: Mon, 26 Oct 2015 16:40:19 -0400
Subject: [PATCH] Filter down the signing key to only public portion

---
 endpoints/v2/manifest.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/endpoints/v2/manifest.py b/endpoints/v2/manifest.py
index 3e8754dd5..7132e141a 100644
--- a/endpoints/v2/manifest.py
+++ b/endpoints/v2/manifest.py
@@ -11,7 +11,7 @@ from collections import namedtuple, OrderedDict
 from jwkest.jws import SIGNER_ALGS, keyrep
 from datetime import datetime
 
-from app import storage, docker_v2_signing_key
+from app import docker_v2_signing_key
 from auth.jwt_auth import process_jwt_auth
 from endpoints.decorators import anon_protect
 from endpoints.v2 import v2_bp, require_repo_read, require_repo_write
@@ -191,9 +191,13 @@ class SignedManifestBuilder(object):
     signature = jwt.utils.base64url_encode(signer.sign(bytes_to_sign, json_web_key.get_key()))
     logger.debug('Generated signature: %s', signature)
 
+    public_members = set(json_web_key.public_members)
+    public_key = {comp: value for comp, value in json_web_key.to_dict().items()
+                  if comp in public_members}
+
     signature_block = {
       'header': {
-        'jwk': json_web_key.to_dict(),
+        'jwk': public_key,
         'alg': JWS_ALGORITHM,
       },
       'signature': signature,