-
Notifications
You must be signed in to change notification settings - Fork 546
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add cosign init
to initialize the SigStore root metadata
#520
Conversation
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
Hihi, would you need a review? Happy to help! 🙂 |
I have to do a bit of refactoring, but would love to get a review on the TUF code! I'll ping you |
@@ -41,6 +44,19 @@ import ( | |||
// rekor.pub should be updated whenever the Rekor public key is rotated & the bundle annotation should be up-versioned | |||
//go:embed rekor.pub | |||
var rekorPub string | |||
var rekorTargetStr = `rekor.pub` | |||
|
|||
func GetRekorPub() string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMHO we should put this somewhere under cli/
in order to keep logging and cosign
binary-specific out of package
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ohhh hmmmm you mean keeping fmt.Println
out? It's used elsewhere in this file as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hrm yeah
err := tuf.GetTarget(ctx, rekorTargetStr, &buf) | ||
if err != nil { | ||
// The user may not have initialized the local root metadata. Log the error and use the embedded root. | ||
fmt.Println("using embedded rekor public key. did you run `cosign init`? error retrieving target: ", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fmt.Println("using embedded rekor public key. did you run `cosign init`? error retrieving target: ", err) | |
fmt.Fprintln(os.Stderr, "using embedded rekor public key. did you run `cosign init`? error retrieving target: ", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with this for now, can always move packages around as we integrate more tuf stuff
@asraa squashing your local |
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
All set, a local test added, and the path to the remote repository is in production. |
cosign init
that initializes the local trusted SigStore root and pulls the trusted targets into.sigstore/root
.sigstore/keys.json
. Clients need this to verify the root they pullinit
hasn't been runDetails:
Fixes
#389
In practice, you can see if you run cosign without init'ing, you get log warnings asking "did you run
cosign init
?" otherwise, it's silent, we're using the local metadata.WIP because of tests and some defaults/globals I want to get rid of