Skip to content

Commit

Permalink
Generate trusted_root.json in the TUF server (#1235)
Browse files Browse the repository at this point in the history
* Generate trusted_root.json in the TUF server

Signed-off-by: Slavek Kabrda <[email protected]>

* Address review

Signed-off-by: Slavek Kabrda <[email protected]>

* Update README with more information about providing cert chains

Signed-off-by: Slavek Kabrda <[email protected]>

* Update pkg/repo/repo.go

Co-authored-by: Hayden B <[email protected]>
Signed-off-by: Slavek Kabrda <[email protected]>

* Address review

Signed-off-by: Slavek Kabrda <[email protected]>

* Remove outdated comment

Signed-off-by: Slavek Kabrda <[email protected]>

---------

Signed-off-by: Slavek Kabrda <[email protected]>
Co-authored-by: Hayden B <[email protected]>
  • Loading branch information
bkabrda and haydentherapper authored Aug 29, 2024
1 parent dedd490 commit 16ae89a
Show file tree
Hide file tree
Showing 6 changed files with 463 additions and 25 deletions.
18 changes: 16 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -363,14 +363,14 @@ in all the namespaces, which is not great, so we'll work around that by
having another step where we manually copy the secrets to `tuf-system` namespace
so that we can create a proper tuf root that `cosign` can use.

There are two steps in the process, first, copy ctlog, fulcio, and rekor
There are two steps in the process, first, copy ctlog, fulcio, rekor and TSA
public secrets into the `tuf-system` namespace, followed by a construction
of a tuf root from those pieces of information. In addition to that, we'll need
to have a tuf web server that serves the root information so that tools like
`cosign` can validate the roots of trust.

For that, we need to copy the following secrets (namespace/secret) with the
keys in the secrets into the`tuf-system` namespace so that the job there has
keys in the secrets into the `tuf-system` namespace so that the job there has
enough information to construct the tuf root:

* fulcio-system/fulcio-pub-key
Expand All @@ -383,6 +383,20 @@ enough information to construct the tuf root:
* tsa-system/tsa-cert-chain
- cert-chain - Holds the certificate chain for TimeStamp Authority

Certificate chains for fulcio and TSA can either be provided in a single file
or in individual files. When providing as individual files, the following
file naming scheme has to be followed:

* `<target>_root.crt.pem`, e.g. `tsa_root.crt.pem`
* `<target>_intermediate_0.crt.pem`, e.g. `tsa_intermediate_0.crt.pem`
* `<target>_intermediate_1.crt.pem`, e.g. `tsa_intermediate_1.crt.pem`
* (more intermediates, but at most 10 intermediate certificates altogether)
* `<target>_leaf.crt.pem`, e.g. `tsa_leaf.crt.pem`

Intermediate certificates, if provided, must be ordered correctly:
`intermediate_0` is signed by `root`, `intermediate_1` is signed by
`intermediate_0` etc.

Once we have all that information in one place, we can construct a tuf root out
of it that can be used by tools like `cosign` and `policy-controller`.

Expand Down
12 changes: 9 additions & 3 deletions cmd/tuf/server/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,10 @@ var (
// repository - Compressed repo, which has been tar/gzipped.
secretName = flag.String("rootsecret", "tuf-root", "Name of the secret to create for the initial root file")
// Name of the "secret" where we create one entry per key JSON definition as generated by TUF, e.g. "root.json", "timestamp.json", ...
keysSecretName = flag.String("keyssecret", "", "Name of the secret to create for generated keys (keys won't be stored unless this is provided)")
noK8s = flag.Bool("no-k8s", false, "Run in a non-k8s environment")
keysSecretName = flag.String("keyssecret", "", "Name of the secret to create for generated keys (keys won't be stored unless this is provided)")
noK8s = flag.Bool("no-k8s", false, "Run in a non-k8s environment")
metadataTargets = flag.Bool("metadata-targets", true, "Serve individual targets with custom Sigstore metadata. This will be deprecated and removed in the future.")
trustedRoot = flag.Bool("trusted-root", true, "Generate and serve trusted_root.json")
)

func getNamespaceAndClientset(noK8s bool) (string, *kubernetes.Clientset, error) {
Expand Down Expand Up @@ -126,7 +128,7 @@ func initTUFRepo(ctx context.Context, certsDir, targetDir, repoSecretName, keysS
}

// Create a new TUF root with the listed artifacts.
local, dir, err := repo.CreateRepo(ctx, files)
local, dir, err := repo.CreateRepoWithOptions(ctx, files, repo.CreateRepoOptions{AddMetadataTargets: *metadataTargets, AddTrustedRoot: *trustedRoot})
if err != nil {
return fmt.Errorf("failed to create repo: %v", err)
}
Expand Down Expand Up @@ -196,6 +198,10 @@ func main() {

ctx := signals.NewContext()

if *metadataTargets {
logging.FromContext(ctx).Warnf("Serving individual TUF targets with custom Sigstore metadata will be deprecated and removed in the future.")
}

serve := false
init := false
overwrite := true
Expand Down
4 changes: 4 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,9 @@ require (
github.com/sigstore/fulcio v1.6.3
github.com/sigstore/rekor v1.3.6
github.com/sigstore/sigstore v1.8.8
github.com/sigstore/sigstore-go v0.6.1-0.20240821212051-2198ac32dd94
github.com/sigstore/timestamp-authority v1.2.2
github.com/stretchr/testify v1.9.0
github.com/theupdateframework/go-tuf v0.7.0
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
go.uber.org/zap v1.27.0
Expand Down Expand Up @@ -224,6 +226,7 @@ require (
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.55.0 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
Expand Down Expand Up @@ -252,6 +255,7 @@ require (
github.com/subosito/gotenv v1.6.0 // indirect
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
github.com/thales-e-security/pool v0.0.2 // indirect
github.com/theupdateframework/go-tuf/v2 v2.0.0 // indirect
github.com/tjfoc/gmsm v1.4.1 // indirect
github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce // indirect
github.com/transparency-dev/merkle v0.0.2 // indirect
Expand Down
6 changes: 4 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -1198,6 +1198,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
github.com/in-toto/attestation v1.1.0 h1:oRWzfmZPDSctChD0VaQV7MJrywKOzyNrtpENQFq//2Q=
github.com/in-toto/attestation v1.1.0/go.mod h1:DB59ytd3z7cIHgXxwpSX2SABrU6WJUKg/grpdgHVgVs=
github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU=
github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
Expand Down Expand Up @@ -1471,8 +1473,8 @@ github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=
github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc=
github.com/sigstore/sigstore v1.8.8 h1:B6ZQPBKK7Z7tO3bjLNnlCMG+H66tO4E/+qAphX8T/hg=
github.com/sigstore/sigstore v1.8.8/go.mod h1:GW0GgJSCTBJY3fUOuGDHeFWcD++c4G8Y9K015pwcpDI=
github.com/sigstore/sigstore-go v0.5.1 h1:5IhKvtjlQBeLnjKkzMELNG4tIBf+xXQkDzhLV77+/8Y=
github.com/sigstore/sigstore-go v0.5.1/go.mod h1:TuOfV7THHqiDaUHuJ5+QN23RP/YoKmsbwJpY+aaYPN0=
github.com/sigstore/sigstore-go v0.6.1-0.20240821212051-2198ac32dd94 h1:MoT4su5n2fVgwoXWPpXeHCvtY48BkxcONsySq1rHMiw=
github.com/sigstore/sigstore-go v0.6.1-0.20240821212051-2198ac32dd94/go.mod h1:+RyopI/FJDE6z5WVs2sQ2nkc+zsxxByDmbp8a4HoxbA=
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.8 h1:2zHmUvaYCwV6LVeTo+OAkTm8ykOGzA9uFlAjwDPAUWM=
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.8/go.mod h1:OEhheBplZinUsm7W9BupafztVZV3ldkAxEHbpAeC0Pk=
github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.8 h1:RKk4Z+qMaLORUdT7zntwMqKiYAej1VQlCswg0S7xNSY=
Expand Down
Loading

0 comments on commit 16ae89a

Please sign in to comment.