Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not require multiple Fulcio certs in the TUF root #1230

Merged
merged 1 commit into from
Dec 17, 2021
Merged

Do not require multiple Fulcio certs in the TUF root #1230

merged 1 commit into from
Dec 17, 2021

Conversation

rgerganov
Copy link
Contributor

cosign requires both fulcio.crt.pem and fulcio_v1.crt.pem in the TUF
root which doesn't make sense when using local TUF. fulcio_v1.crt.pem
was added in the embedded TUF in order to support Fulcio v1 but it
shouldn't be required when users initialize cosign with their own TUF
repo.

Closes: #1229

Signed-off-by: Radoslav Gerganov [email protected]

hectorj2f
hectorj2f reviewed Dec 16, 2021
View reviewed changes
Copy link
Contributor

@hectorj2f hectorj2f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

asraa
asraa reviewed Dec 16, 2021
View reviewed changes
Copy link
Contributor

@asraa asraa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so so much for these changes!

I think long term we might want some kind of general discovery like look for targets named fulcio.*, and as long as one of them is successfully added, don't panic.

cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go Outdated
if err := tuf.GetTarget(ctx, fulcioTarget, &buf); err != nil {
panic(errors.Wrap(err, "creating root cert pool"))
}
buf := tuf.ByteDestination{Buffer: &bytes.Buffer{}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WDYT about keeping the previous code and use a bool to panic if one of the targets wasn't added?
(as in gracefully fail, just fail when none of the errors were nil)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

make sense, I will update the patch

Do not require multiple Fulcio certs in the TUF root
ee09677 
cosign requires both fulcio.crt.pem and fulcio_v1.crt.pem in the TUF
root which doesn't make sense when using local TUF. fulcio_v1.crt.pem
was added in the embedded TUF in order to support Fulcio v1 but it
shouldn't be required when users initialize cosign with their own TUF
repo.

Closes: sigstore#1229

Signed-off-by: Radoslav Gerganov <[email protected]>
@dlorenc dlorenc merged commit d318979 into sigstore:main Dec 17, 2021
@github-actions github-actions bot added this to the v1.5.0 milestone Dec 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asraa asraa asraa left review comments

@hectorj2f hectorj2f hectorj2f left review comments

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.5.0
Development

Successfully merging this pull request may close these issues.

Do not require multiple Fulcio certs in the TUF root
4 participants
@rgerganov @dlorenc @hectorj2f @asraa