X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/3da10f0c0f5a0c0c91d49436a5995c890b03d228..50128b53da4003912635b03fb27b5be2c5beaca1:/services/keepstore/perms.go

diff --git a/services/keepstore/perms.go b/services/keepstore/perms.go
index 6168a321c2..38445d982b 100644
--- a/services/keepstore/perms.go
+++ b/services/keepstore/perms.go
@@ -5,15 +5,10 @@ import (
 	"time"
 )
 
-// The PermissionSecret is the secret key used to generate SHA1
-// digests for permission hints. apiserver and Keep must use the same
-// key.
-var PermissionSecret []byte
-
 // SignLocator takes a blobLocator, an apiToken and an expiry time, and
 // returns a signed locator string.
 func SignLocator(blobLocator, apiToken string, expiry time.Time) string {
-	return keepclient.SignLocator(blobLocator, apiToken, expiry, PermissionSecret)
+	return keepclient.SignLocator(blobLocator, apiToken, expiry, theConfig.BlobSignatureTTL.Duration(), theConfig.blobSigningKey)
 }
 
 // VerifySignature returns nil if the signature on the signedLocator
@@ -22,7 +17,7 @@ func SignLocator(blobLocator, apiToken string, expiry time.Time) string {
 // something the client could have figured out independently) or
 // PermissionError.
 func VerifySignature(signedLocator, apiToken string) error {
-	err := keepclient.VerifySignature(signedLocator, apiToken, PermissionSecret)
+	err := keepclient.VerifySignature(signedLocator, apiToken, theConfig.BlobSignatureTTL.Duration(), theConfig.blobSigningKey)
 	if err == keepclient.ErrSignatureExpired {
 		return ExpiredError
 	} else if err != nil {