-
Notifications
You must be signed in to change notification settings - Fork 546
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fetch verification targets by TUF custom metadata #1423
Conversation
cb78b01
to
aad1f53
Compare
These test failures look related to the PR, any idea? |
9d29d19
to
10987bd
Compare
Reran tests, the unit tests succeeded (I saw the flaky "timestamp.json" off by two bytes), but the KinD e2e tests are failing. Investigating now |
It appears the tests collided with an ongoing distroless release. It pulled the latest image before signing was complete. No more errors! |
bd2fb54
to
e8d3e91
Compare
Cc @znewman01 could you take a look? |
Yup, sometime in the next couple hours. |
1c0bdc9
to
a911047
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
|
||
import "testing" | ||
|
||
func TestGetFulcioRoots(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pardon my unfamiliarity with the codebase here.
I don't really understand this test -- we make a TUF client using tuf.NewFromEnv()
which AFAICT looks in ~/.sigstore/root
by default. Is there some test fixture that sets TUF up for us?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're correct, this just ends up relying on the embedded root. I want to refactor the tests in a later PR to use the test utility newTufCustomRepo
or newTufRepo
so we can generate an instance of the TUF repository that we can easily manipulate to test different edge cases. For now, this test just aims to increase code coverage and exercise Get
.
t.Error(err) | ||
} | ||
if l := dirLen(t, tufRoot); l == 0 { | ||
t.Errorf("expected filesystem writes, got %d entries", l) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a little puzzled by "expected filesystem writes". Can you clarify?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a check to make sure Initialize wrote something to the tufRoot
directory.
if err != nil { | ||
return err | ||
} | ||
// Is there a reason why this must be ECDSA key? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there? :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code makes assumptions about all of the TUF targets. We should clearly document these assumptions in cosign/root-signing. We could add support for other keys if there was a need, and it might come up with BYO-TUF. I'd encourage others to use ECDSA, primarily because you can have much smaller keys and get the same security strength.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review!
|
||
import "testing" | ||
|
||
func TestGetFulcioRoots(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're correct, this just ends up relying on the embedded root. I want to refactor the tests in a later PR to use the test utility newTufCustomRepo
or newTufRepo
so we can generate an instance of the TUF repository that we can easily manipulate to test different edge cases. For now, this test just aims to increase code coverage and exercise Get
.
if err != nil { | ||
return err | ||
} | ||
// Is there a reason why this must be ECDSA key? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code makes assumptions about all of the TUF targets. We should clearly document these assumptions in cosign/root-signing. We could add support for other keys if there was a need, and it might come up with BYO-TUF. I'd encourage others to use ECDSA, primarily because you can have much smaller keys and get the same security strength.
t.Error(err) | ||
} | ||
if l := dirLen(t, tufRoot); l == 0 { | ||
t.Errorf("expected filesystem writes, got %d entries", l) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a check to make sure Initialize wrote something to the tufRoot
directory.
Signed-off-by: Hayden Blauzvern <[email protected]>
This uses GetTargetsByMeta to read the targets using the custom metadata, or fallback to the old targets by filename. Signed-off-by: Hayden Blauzvern <[email protected]>
Signed-off-by: Hayden Blauzvern <[email protected]>
2b118ec
to
4a8f560
Compare
* Add TUF client method for fetching by metadata Signed-off-by: Hayden Blauzvern <[email protected]> * Fetch verification targets by TUF custom metadata This uses GetTargetsByMeta to read the targets using the custom metadata, or fallback to the old targets by filename. Signed-off-by: Hayden Blauzvern <[email protected]> * Resolve PR comments, linter, and update tests Signed-off-by: Hayden Blauzvern <[email protected]>
* Add TUF client method for fetching by metadata Signed-off-by: Hayden Blauzvern <[email protected]> * Fetch verification targets by TUF custom metadata This uses GetTargetsByMeta to read the targets using the custom metadata, or fallback to the old targets by filename. Signed-off-by: Hayden Blauzvern <[email protected]> * Resolve PR comments, linter, and update tests Signed-off-by: Hayden Blauzvern <[email protected]>
Summary
Continuing #1273, this adds support for fetching a list of TUF targets by custom metadata. This will be used for verification using expired/rotated targets. All targets will be persisted in the TUF target metadata. Only one will be marked as
active
while the others are marked asexpired
.The custom metadata on a target looks like looks like:
Possible statuses are
active
orexpired
, and possible usages arefulcio
,rekor
, andctfe
.unknown
is also supported for each as a default value.To test this, I:
Next steps:
Status
of the custom metadata to inform users when verifying with an expired targetTicket Link
Fixes #1342
Ref #1273
Release Note