Skip to content

Commit

Permalink
Update TUF client to support options and add LiveTrustedRoot (#41)
Browse files Browse the repository at this point in the history
* Update TUF client to support options and add LiveTrustedRoot

Signed-off-by: Cody Soyland <[email protected]>

* Make sure DefaultOptions never fails

Signed-off-by: Fredrik Skogman <[email protected]>

* avoid empty strings for arguments, use named attributes

Signed-off-by: Fredrik Skogman <[email protected]>

* Ignore emacs backup files

Signed-off-by: Fredrik Skogman <[email protected]>

* Created a bascig config file for the tuf client

Signed-off-by: Fredrik Skogman <[email protected]>

* Style fixes

Signed-off-by: Fredrik Skogman <[email protected]>

* Made consistent snapshot configurable

Signed-off-by: Fredrik Skogman <[email protected]>

* Clarified the use of unsafe local mode

Signed-off-by: Fredrik Skogman <[email protected]>

* Updated to go-tuf/v2@master

Signed-off-by: Fredrik Skogman <[email protected]>

* Resolved merge conflict

Signed-off-by: Fredrik Skogman <[email protected]>

* Fixed errors from linter

Signed-off-by: Fredrik Skogman <[email protected]>

* Use short variable declaration syntax

Co-authored-by: Hayden B <[email protected]>
Signed-off-by: Cody Soyland <[email protected]>

* Remove old unused embedded root

Signed-off-by: Cody Soyland <[email protected]>

* Add func to fetch TUF root with given options

Signed-off-by: Cody Soyland <[email protected]>

* Add chainable functional options to Options struct

Signed-off-by: Cody Soyland <[email protected]>

* Update CodeQL action

Signed-off-by: Cody Soyland <[email protected]>

* Setup Go version in CodeQL workflwo

Signed-off-by: Cody Soyland <[email protected]>

* Don't specify minor go version

Signed-off-by: Fredrik Skogman <[email protected]>

* Added a simple test for an offline cliant

Signed-off-by: Fredrik Skogman <[email protected]>

* Add TUF repo creation and basic test to create a client

Signed-off-by: Cody Soyland <[email protected]>

* Made the tuf root file configurable via the command line

Signed-off-by: Fredrik Skogman <[email protected]>

* Use consts from go-tuf

Signed-off-by: Cody Soyland <[email protected]>

* Add test to fetch target

Signed-off-by: Cody Soyland <[email protected]>

* Breakout publish

Signed-off-by: Cody Soyland <[email protected]>

* Add target support and refresh test

Signed-off-by: Cody Soyland <[email protected]>

* Add TUF caching tests

Signed-off-by: Cody Soyland <[email protected]>

* Remove unreachable code, add more tests

It is impossible to reach the timestamp checks in loadMetadata, as the preceeding code to load metadata and verify it will force an online refresh anyway, so at this point, the cache has already been updated.

Setting RemoteTargetsURL is not necessary as go-tuf will set that correctly by default.

Signed-off-by: Cody Soyland <[email protected]>

* Updated go-tuf

Signed-off-by: Fredrik Skogman <[email protected]>

* Updated to latest go-tuf

Signed-off-by: Fredrik Skogman <[email protected]>

* Clarified that the updates is replaced, not the actual tuf client

Signed-off-by: Fredrik Skogman <[email protected]>

* Updated to new error type (pointer)

Signed-off-by: Fredrik Skogman <[email protected]>

* Use 0 days for default CacheValidity

Signed-off-by: Cody Soyland <[email protected]>

* Clarify CacheValidity option and add NoCache/MaxCache consts

Signed-off-by: Cody Soyland <[email protected]>

---------

Signed-off-by: Cody Soyland <[email protected]>
Signed-off-by: Fredrik Skogman <[email protected]>
Co-authored-by: Fredrik Skogman <[email protected]>
Co-authored-by: Hayden B <[email protected]>
  • Loading branch information
3 people authored Feb 10, 2024
1 parent 8e0c8fc commit 40d7422
Show file tree
Hide file tree
Showing 17 changed files with 1,123 additions and 226 deletions.
11 changes: 8 additions & 3 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,19 @@ jobs:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Setup Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: ./go.mod

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1
uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
with:
languages: ${{ matrix.language }}

- name: Autobuild
uses: github/codeql-action/autobuild@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1
uses: github/codeql-action/autobuild@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1
uses: github/codeql-action/analyze@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
.idea
.DS_Store
*~
/sigstore-go
/tufdata
/conformance
14 changes: 10 additions & 4 deletions cmd/conformance/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,10 +57,16 @@ func getTrustedRoot() root.TrustedMaterial {
if !ok {
log.Fatal("unable to get path")
}

tufDir := path.Join(path.Dir(filename), "tufdata")

trustedRootJSON, err = tuf.GetTrustedrootJSON("tuf-repo-cdn.sigstore.dev", tufDir)
opts := tuf.DefaultOptions()
opts.CachePath = path.Join(path.Dir(filename), "tufdata")
client, err := tuf.New(opts)
if err != nil {
log.Fatal(err)
}
trustedRootJSON, err = client.GetTarget("trusted_root.json")
if err != nil {
log.Fatal(err)
}
}

if err != nil {
Expand Down
41 changes: 31 additions & 10 deletions cmd/sigstore-go/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ var onlineTlog *bool
var trustedPublicKey *string
var trustedrootJSONpath *string
var tufRootURL *string
var tufDirectory *string
var tufTrustedRoot *string

func init() {
artifact = flag.String("artifact", "", "Path to artifact to verify")
Expand All @@ -63,7 +63,7 @@ func init() {
trustedPublicKey = flag.String("publicKey", "", "Path to trusted public key")
trustedrootJSONpath = flag.String("trustedrootJSONpath", "examples/trusted-root-public-good.json", "Path to trustedroot JSON file")
tufRootURL = flag.String("tufRootURL", "", "URL of TUF root containing trusted root JSON file")
tufDirectory = flag.String("tufDirectory", "tufdata", "Directory to store TUF metadata")
tufTrustedRoot = flag.String("tufTrustedRoot", "", "Path to the trusted TUF root.json to bootstrap trust in the remote TUF repository")
flag.Parse()
if flag.NArg() == 0 {
usage()
Expand Down Expand Up @@ -120,20 +120,41 @@ func run() error {
identityPolicies = append(identityPolicies, verify.WithCertificateIdentity(certID))

var trustedMaterial = make(root.TrustedMaterialCollection, 0)
var trustedrootJSON []byte
var trustedRootJSON []byte

if *tufRootURL != "" {
trustedrootJSON, err = tuf.GetTrustedrootJSON(*tufRootURL, *tufDirectory)
opts := tuf.DefaultOptions()
opts.RepositoryBaseURL = *tufRootURL

// Load the tuf root.json if provided, if not use public good
if *tufTrustedRoot != "" {
rb, err := os.ReadFile(*tufTrustedRoot)
if err != nil {
return fmt.Errorf("failed to read %s: %w",
*tufTrustedRoot, err)
}
opts.Root = rb
}

client, err := tuf.New(opts)
if err != nil {
return err
}
trustedRootJSON, err = client.GetTarget("trusted_root.json")
if err != nil {
return err
}
} else if *trustedrootJSONpath != "" {
trustedrootJSON, err = os.ReadFile(*trustedrootJSONpath)
}
if err != nil {
return err
trustedRootJSON, err = os.ReadFile(*trustedrootJSONpath)
if err != nil {
return fmt.Errorf("failed to read %s: %w",
*trustedrootJSONpath, err)
}
}

if len(trustedrootJSON) > 0 {
if len(trustedRootJSON) > 0 {
var trustedRoot *root.TrustedRoot
trustedRoot, err = root.NewTrustedRootFromJSON(trustedrootJSON)
trustedRoot, err = root.NewTrustedRootFromJSON(trustedRootJSON)
if err != nil {
return err
}
Expand Down
31 changes: 17 additions & 14 deletions examples/oci-image-verification/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ module github.com/sigstore/sigstore-go/examples/oci-image-verification

go 1.21

replace github.com/sigstore/sigstore-go => ../../

require (
github.com/google/go-containerregistry v0.19.0
github.com/sigstore/protobuf-specs v0.2.1
Expand All @@ -22,18 +24,18 @@ require (
github.com/docker/docker-credential-helpers v0.7.0 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/go-chi/chi v4.1.2+incompatible // indirect
github.com/go-logr/logr v1.3.0 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/analysis v0.22.0 // indirect
github.com/go-openapi/errors v0.21.0 // indirect
github.com/go-openapi/jsonpointer v0.20.2 // indirect
github.com/go-openapi/jsonreference v0.20.4 // indirect
github.com/go-openapi/loads v0.21.5 // indirect
github.com/go-openapi/runtime v0.26.2 // indirect
github.com/go-openapi/spec v0.20.13 // indirect
github.com/go-openapi/runtime v0.27.1 // indirect
github.com/go-openapi/spec v0.20.14 // indirect
github.com/go-openapi/strfmt v0.22.0 // indirect
github.com/go-openapi/swag v0.22.7 // indirect
github.com/go-openapi/validate v0.22.3 // indirect
github.com/go-openapi/swag v0.22.9 // indirect
github.com/go-openapi/validate v0.22.6 // indirect
github.com/google/certificate-transparency-go v1.1.7 // indirect
github.com/google/uuid v1.5.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
Expand All @@ -60,7 +62,7 @@ require (
github.com/sassoftware/relic v7.2.1+incompatible // indirect
github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/sigstore/rekor v1.3.4 // indirect
github.com/sigstore/rekor v1.3.5 // indirect
github.com/sigstore/timestamp-authority v1.2.1 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
Expand All @@ -71,28 +73,29 @@ require (
github.com/spf13/viper v1.18.2 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
github.com/theupdateframework/go-tuf v0.7.0 // indirect
github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141 // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/transparency-dev/merkle v0.0.2 // indirect
github.com/vbatts/tar-split v0.11.3 // indirect
go.mongodb.org/mongo-driver v1.13.1 // indirect
go.opentelemetry.io/otel v1.21.0 // indirect
go.opentelemetry.io/otel/metric v1.21.0 // indirect
go.opentelemetry.io/otel/trace v1.21.0 // indirect
go.opentelemetry.io/otel v1.22.0 // indirect
go.opentelemetry.io/otel/metric v1.22.0 // indirect
go.opentelemetry.io/otel/trace v1.22.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.26.0 // indirect
golang.org/x/crypto v0.18.0 // indirect
golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
golang.org/x/mod v0.14.0 // indirect
golang.org/x/net v0.19.0 // indirect
golang.org/x/sync v0.5.0 // indirect
golang.org/x/net v0.20.0 // indirect
golang.org/x/sync v0.6.0 // indirect
golang.org/x/sys v0.16.0 // indirect
golang.org/x/term v0.16.0 // indirect
golang.org/x/text v0.14.0 // indirect
google.golang.org/genproto v0.0.0-20231120223509-83a465c0220f // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f // indirect
google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240122161410-6c6643bf1457 // indirect
google.golang.org/protobuf v1.32.0 // indirect
gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/klog/v2 v2.100.1 // indirect
k8s.io/klog/v2 v2.120.0 // indirect
)
Loading

0 comments on commit 40d7422

Please sign in to comment.