Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update TUF client to support options and add LiveTrustedRoot #41

Merged
merged 35 commits into from
Feb 10, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
444736a
Update TUF client to support options and add LiveTrustedRoot
codysoyland Dec 11, 2023
035c084
Make sure DefaultOptions never fails
kommendorkapten Dec 22, 2023
5f4fafa
avoid empty strings for arguments, use named attributes
kommendorkapten Dec 22, 2023
511a0b9
Ignore emacs backup files
kommendorkapten Dec 22, 2023
e680b4f
Created a bascig config file for the tuf client
kommendorkapten Dec 22, 2023
7be28c0
Style fixes
kommendorkapten Dec 22, 2023
780beb3
Made consistent snapshot configurable
kommendorkapten Dec 22, 2023
b1f195f
Clarified the use of unsafe local mode
kommendorkapten Dec 22, 2023
3e2ab65
Updated to go-tuf/v2@master
kommendorkapten Jan 29, 2024
8297aeb
Resolved merge conflict
kommendorkapten Jan 29, 2024
9c4e1c4
Merge branch 'main' into tuf-client-2
kommendorkapten Jan 29, 2024
11dedbd
Fixed errors from linter
kommendorkapten Jan 29, 2024
dc7e979
Use short variable declaration syntax
codysoyland Jan 29, 2024
8bc63cf
Remove old unused embedded root
codysoyland Jan 29, 2024
c270ed8
Add func to fetch TUF root with given options
codysoyland Jan 29, 2024
a8fd9e0
Add chainable functional options to Options struct
codysoyland Jan 29, 2024
95168ba
Update CodeQL action
codysoyland Jan 29, 2024
4f6cb84
Setup Go version in CodeQL workflwo
codysoyland Jan 29, 2024
c2e715e
Don't specify minor go version
kommendorkapten Jan 30, 2024
e87063c
Added a simple test for an offline cliant
kommendorkapten Jan 30, 2024
96326fa
Add TUF repo creation and basic test to create a client
codysoyland Feb 5, 2024
057aa83
Made the tuf root file configurable via the command line
kommendorkapten Feb 6, 2024
4ac2b31
Merge branch 'main' into tuf-client-2
kommendorkapten Feb 6, 2024
72edefd
Use consts from go-tuf
codysoyland Feb 6, 2024
0def807
Add test to fetch target
codysoyland Feb 6, 2024
f4d0556
Breakout publish
codysoyland Feb 7, 2024
ee12af4
Add target support and refresh test
codysoyland Feb 7, 2024
fe78b34
Add TUF caching tests
codysoyland Feb 7, 2024
651aff1
Remove unreachable code, add more tests
codysoyland Feb 7, 2024
fd475da
Updated go-tuf
kommendorkapten Feb 9, 2024
616ee98
Updated to latest go-tuf
kommendorkapten Feb 9, 2024
51aaf34
Clarified that the updates is replaced, not the actual tuf client
kommendorkapten Feb 9, 2024
10be16d
Updated to new error type (pointer)
kommendorkapten Feb 9, 2024
1d0f156
Use 0 days for default CacheValidity
codysoyland Feb 9, 2024
37bb81f
Clarify CacheValidity option and add NoCache/MaxCache consts
codysoyland Feb 9, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,19 @@ jobs:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Setup Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: ./go.mod

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1
uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
with:
languages: ${{ matrix.language }}

- name: Autobuild
uses: github/codeql-action/autobuild@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1
uses: github/codeql-action/autobuild@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1
uses: github/codeql-action/analyze@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
.idea
.DS_Store
*~
/sigstore-go
/tufdata
/conformance
14 changes: 10 additions & 4 deletions cmd/conformance/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,10 +57,16 @@ func getTrustedRoot() root.TrustedMaterial {
if !ok {
log.Fatal("unable to get path")
}

tufDir := path.Join(path.Dir(filename), "tufdata")

trustedRootJSON, err = tuf.GetTrustedrootJSON("tuf-repo-cdn.sigstore.dev", tufDir)
opts := tuf.DefaultOptions()
opts.CachePath = path.Join(path.Dir(filename), "tufdata")
client, err := tuf.New(opts)
if err != nil {
log.Fatal(err)
}
trustedRootJSON, err = client.GetTarget("trusted_root.json")
if err != nil {
log.Fatal(err)
}
}

if err != nil {
Expand Down
41 changes: 31 additions & 10 deletions cmd/sigstore-go/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ var onlineTlog *bool
var trustedPublicKey *string
var trustedrootJSONpath *string
var tufRootURL *string
var tufDirectory *string
var tufTrustedRoot *string

func init() {
artifact = flag.String("artifact", "", "Path to artifact to verify")
Expand All @@ -63,7 +63,7 @@ func init() {
trustedPublicKey = flag.String("publicKey", "", "Path to trusted public key")
trustedrootJSONpath = flag.String("trustedrootJSONpath", "examples/trusted-root-public-good.json", "Path to trustedroot JSON file")
tufRootURL = flag.String("tufRootURL", "", "URL of TUF root containing trusted root JSON file")
tufDirectory = flag.String("tufDirectory", "tufdata", "Directory to store TUF metadata")
tufTrustedRoot = flag.String("tufTrustedRoot", "", "Path to the trusted TUF root.json to bootstrap trust in the remote TUF repository")
flag.Parse()
if flag.NArg() == 0 {
usage()
Expand Down Expand Up @@ -120,20 +120,41 @@ func run() error {
identityPolicies = append(identityPolicies, verify.WithCertificateIdentity(certID))

var trustedMaterial = make(root.TrustedMaterialCollection, 0)
var trustedrootJSON []byte
var trustedRootJSON []byte

if *tufRootURL != "" {
trustedrootJSON, err = tuf.GetTrustedrootJSON(*tufRootURL, *tufDirectory)
opts := tuf.DefaultOptions()
opts.RepositoryBaseURL = *tufRootURL

// Load the tuf root.json if provided, if not use public good
if *tufTrustedRoot != "" {
rb, err := os.ReadFile(*tufTrustedRoot)
if err != nil {
return fmt.Errorf("failed to read %s: %w",
*tufTrustedRoot, err)
}
opts.Root = rb
}

client, err := tuf.New(opts)
if err != nil {
return err
}
trustedRootJSON, err = client.GetTarget("trusted_root.json")
if err != nil {
return err
}
} else if *trustedrootJSONpath != "" {
trustedrootJSON, err = os.ReadFile(*trustedrootJSONpath)
}
if err != nil {
return err
trustedRootJSON, err = os.ReadFile(*trustedrootJSONpath)
if err != nil {
return fmt.Errorf("failed to read %s: %w",
*trustedrootJSONpath, err)
}
}

if len(trustedrootJSON) > 0 {
if len(trustedRootJSON) > 0 {
var trustedRoot *root.TrustedRoot
trustedRoot, err = root.NewTrustedRootFromJSON(trustedrootJSON)
trustedRoot, err = root.NewTrustedRootFromJSON(trustedRootJSON)
if err != nil {
return err
}
Expand Down
31 changes: 17 additions & 14 deletions examples/oci-image-verification/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ module github.com/sigstore/sigstore-go/examples/oci-image-verification

go 1.21

replace github.com/sigstore/sigstore-go => ../../

require (
github.com/google/go-containerregistry v0.19.0
github.com/sigstore/protobuf-specs v0.2.1
Expand All @@ -22,18 +24,18 @@ require (
github.com/docker/docker-credential-helpers v0.7.0 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/go-chi/chi v4.1.2+incompatible // indirect
github.com/go-logr/logr v1.3.0 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/analysis v0.22.0 // indirect
github.com/go-openapi/errors v0.21.0 // indirect
github.com/go-openapi/jsonpointer v0.20.2 // indirect
github.com/go-openapi/jsonreference v0.20.4 // indirect
github.com/go-openapi/loads v0.21.5 // indirect
github.com/go-openapi/runtime v0.26.2 // indirect
github.com/go-openapi/spec v0.20.13 // indirect
github.com/go-openapi/runtime v0.27.1 // indirect
github.com/go-openapi/spec v0.20.14 // indirect
github.com/go-openapi/strfmt v0.22.0 // indirect
github.com/go-openapi/swag v0.22.7 // indirect
github.com/go-openapi/validate v0.22.3 // indirect
github.com/go-openapi/swag v0.22.9 // indirect
github.com/go-openapi/validate v0.22.6 // indirect
github.com/google/certificate-transparency-go v1.1.7 // indirect
github.com/google/uuid v1.5.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
Expand All @@ -60,7 +62,7 @@ require (
github.com/sassoftware/relic v7.2.1+incompatible // indirect
github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/sigstore/rekor v1.3.4 // indirect
github.com/sigstore/rekor v1.3.5 // indirect
github.com/sigstore/timestamp-authority v1.2.1 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
Expand All @@ -71,28 +73,29 @@ require (
github.com/spf13/viper v1.18.2 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
github.com/theupdateframework/go-tuf v0.7.0 // indirect
github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141 // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/transparency-dev/merkle v0.0.2 // indirect
github.com/vbatts/tar-split v0.11.3 // indirect
go.mongodb.org/mongo-driver v1.13.1 // indirect
go.opentelemetry.io/otel v1.21.0 // indirect
go.opentelemetry.io/otel/metric v1.21.0 // indirect
go.opentelemetry.io/otel/trace v1.21.0 // indirect
go.opentelemetry.io/otel v1.22.0 // indirect
go.opentelemetry.io/otel/metric v1.22.0 // indirect
go.opentelemetry.io/otel/trace v1.22.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.26.0 // indirect
golang.org/x/crypto v0.18.0 // indirect
golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
golang.org/x/mod v0.14.0 // indirect
golang.org/x/net v0.19.0 // indirect
golang.org/x/sync v0.5.0 // indirect
golang.org/x/net v0.20.0 // indirect
golang.org/x/sync v0.6.0 // indirect
golang.org/x/sys v0.16.0 // indirect
golang.org/x/term v0.16.0 // indirect
golang.org/x/text v0.14.0 // indirect
google.golang.org/genproto v0.0.0-20231120223509-83a465c0220f // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f // indirect
google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240122161410-6c6643bf1457 // indirect
google.golang.org/protobuf v1.32.0 // indirect
gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/klog/v2 v2.100.1 // indirect
k8s.io/klog/v2 v2.120.0 // indirect
)
Loading
Loading