-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use TUF to download key/cert material #351
Commits on Dec 20, 2022
-
tuf: Add initial TUF trust root updater
TrustUpdater can be used to fetch specific trust roots: * Currently supports fetching * ctfe keys and * the rekor key * Caches target files in ~/.cache/sigstore-python/ * Stores metadata in ~/.local/share/sigstore-python/ * Expects to either * find the metadata _for the given URL_ in metadata store * (for prod and stage only) find the boostrap root.json in sigstore/_store The "API" that TrustUpdater provides is not meant to be final: it is the minimal one that should fulfill current needs. Nothing uses the TrustUpdater yet, but it's testable: >>> from sigstore._tuf import TrustUpdater, DEFAULT_TUF_URL >>> updater = TrustUpdater(DEFAULT_TUF_URL) >>> rekor_key_bytes = updater.get_rekor_key() Co-authored-by: Joshua Lock <jlock@vmware.com> Co-authored-by: wxjdsr <wxjdsr@126.com> Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for a7598df - Browse repository at this point
Copy the full SHA a7598dfView commit details -
Rekor: Refactor CTKeyring, Use TUF in prod/staging
CTKeyring: * Take bytes as constructore input: this makes it easier to feed things from either CLI arguments or the TUF trust updater. * Remove tests that no longer make sense. The prod/staging contant should still be tested but TUF is now used in the same flows: Unsure how to best test this. Use TUF to find the CTFE and rekor key when using "production" or "staging". Note that "staging" is currently untested: I am not sure even the URL makes sense. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for e6d392e - Browse repository at this point
Copy the full SHA e6d392eView commit details -
cli: Use TUF for rekor/ctfe keys if not in args
Use TUF to get CTFE/Rekor keys in the non-staging, non-production flow. As before, the assumption is that user wants production keys in this case. Refactor TrustUpdater so that it does not do network traffic if nothing is requested. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for 22a6055 - Browse repository at this point
Copy the full SHA 22a6055View commit details -
Fix linter issues in TUF related code
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for b6325fd - Browse repository at this point
Copy the full SHA b6325fdView commit details -
tuf: Fetch Fulcio certificates with TUF
* Assume that the active fulcio certs in the repository form a certificate chain that cryptography can ingest * Refactor RekorClient construction so that we avoid constructing multiple TrustTupdaters Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for c689fdb - Browse repository at this point
Copy the full SHA c689fdbView commit details -
cli: Use production rekor key by default
If this is not production or staging but rekor key is not given, use production: this is what original (non-tuf) code was doing as well. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for d7b75c1 - Browse repository at this point
Copy the full SHA d7b75c1View commit details -
https://tuf-root-staging.storage.googleapis.com/ does work as staging repository. There is still a bug somewhere as staging verify currently fails. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for 6386af7 - Browse repository at this point
Copy the full SHA 6386af7View commit details -
_store: Add missing staging root.json
This is needed to bootstrap the TUF metadata with --staging. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for 29885ff - Browse repository at this point
Copy the full SHA 29885ffView commit details -
Signed-off-by: William Woodruff <william@trailofbits.com>
Configuration menu - View commit details
-
Copy full SHA for e1712a7 - Browse repository at this point
Copy the full SHA e1712a7View commit details -
pyproject, sigstore/tuf: use appdirs for local state
Signed-off-by: William Woodruff <william@trailofbits.com>
Configuration menu - View commit details
-
Copy full SHA for b62a410 - Browse repository at this point
Copy the full SHA b62a410View commit details -
Signed-off-by: William Woodruff <william@trailofbits.com>
Configuration menu - View commit details
-
Copy full SHA for a8d1e4e - Browse repository at this point
Copy the full SHA a8d1e4eView commit details -
_internal/tuf: disambiguate caches correctly
Signed-off-by: William Woodruff <william@trailofbits.com>
Configuration menu - View commit details
-
Copy full SHA for f75c866 - Browse repository at this point
Copy the full SHA f75c866View commit details -
sign, verify, internal: refactor rekor client handling
Signed-off-by: William Woodruff <william@trailofbits.com>
Configuration menu - View commit details
-
Copy full SHA for 3a8f026 - Browse repository at this point
Copy the full SHA 3a8f026View commit details -
test/verify: fix TestVerificationMaterials test
Signed-off-by: William Woodruff <william@trailofbits.com>
Configuration menu - View commit details
-
Copy full SHA for 7d80e93 - Browse repository at this point
Copy the full SHA 7d80e93View commit details
Commits on Dec 21, 2022
-
Refactor RekorClient construction once more
* Bring back RekorClient.production() and RekorClient.staging(): these are simple but make the calling code slightly clearer maybe * Add a TrustUpdater argument to those methods: if you use production/staging, you need a TrustUpdater * The TrustUpdater can not be constructed inside RekorClient as other components may need it as well. It's not perfectly elegant for the caller but it's not horrible either: updater = TrustUpdater.staging() client = RekorClient.staging(updater) This design means TrustUpdater does not know anything about the sigstore mechanisms: it just discovers and downloads files. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for 1dd9c1f - Browse repository at this point
Copy the full SHA 1dd9c1fView commit details -
internal: Improve tuf docstrings
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for 8072f1d - Browse repository at this point
Copy the full SHA 8072f1dView commit details -
No functional change, just refactor the target discovery into a single method. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for e85d6f4 - Browse repository at this point
Copy the full SHA e85d6f4View commit details -
The test doesn't make a lot of sense now that the keys are not being read from the _store. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for 238f191 - Browse repository at this point
Copy the full SHA 238f191View commit details -
_store: Remove all certificates and keys
These are now made available via the _internal.tuf module. There is still a case to be made for embedding keys and certs in the wheel (to optimize the first run experience, and the experience for those who might not persist their caches, e.g. CI systems). But: * Testing this without embedded keys first likely makes sense: We get more experience and feedback on the trust update system * There should be some automated system that updates the embedded keys. Otherwise obsolete keys will be embedded and no-one notices. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for 8632250 - Browse repository at this point
Copy the full SHA 8632250View commit details -
tests: Add mock TUF fetcher for staging
This allows running (otherwise offline) staging tests without network access. * Add a fixture that mocks tuf.ngclient fetcher: it returns files from test assets * Mark the relevant tests with mock_staging_tuf fixture * Mark test_verifier_production() as "online": there is no way to test production tuf repository offline as it expires every two weeks Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for d342697 - Browse repository at this point
Copy the full SHA d342697View commit details -
tests: Don't require network in parametrized setup
Signer.production() and Signer.staging() now require a network connection for TUF initialization: they can't be used in parametrized test setup as that happens even if the test is marked online. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for 5e5b280 - Browse repository at this point
Copy the full SHA 5e5b280View commit details -
cli: Silence python-tuf logging a little
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for 6a41e3a - Browse repository at this point
Copy the full SHA 6a41e3aView commit details -
This test asserts that we make the network requests that we expect: * Uses mock staging TUF repository * Uses empty HOME dir to ensure known starting point for caches * tests both cold and hot caches Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for b54ed9f - Browse repository at this point
Copy the full SHA b54ed9fView commit details -
tests: Add basic test for TrustUpdater
Make sure the rekor key content is correct * use empty home dir * use mock TUF staging repository Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for 68425ed - Browse repository at this point
Copy the full SHA 68425edView commit details -
Configuration menu - View commit details
-
Copy full SHA for 170096e - Browse repository at this point
Copy the full SHA 170096eView commit details -
Signed-off-by: William Woodruff <william@trailofbits.com>
Configuration menu - View commit details
-
Copy full SHA for 4ad04ce - Browse repository at this point
Copy the full SHA 4ad04ceView commit details -
test/unit: put TUF assets under assets dir
Signed-off-by: William Woodruff <william@trailofbits.com>
Configuration menu - View commit details
-
Copy full SHA for ae9df01 - Browse repository at this point
Copy the full SHA ae9df01View commit details -
Signed-off-by: William Woodruff <william@trailofbits.com>
Configuration menu - View commit details
-
Copy full SHA for a210a6f - Browse repository at this point
Copy the full SHA a210a6fView commit details -
_store, _utils: remove obsolete comment, re-add helper
Signed-off-by: William Woodruff <william@trailofbits.com>
Configuration menu - View commit details
-
Copy full SHA for bbc6a99 - Browse repository at this point
Copy the full SHA bbc6a99View commit details -
Signed-off-by: William Woodruff <william@trailofbits.com>
Configuration menu - View commit details
-
Copy full SHA for 69f249e - Browse repository at this point
Copy the full SHA 69f249eView commit details -
tuf: re-use our read_embedded helper
Signed-off-by: William Woodruff <william@trailofbits.com>
Configuration menu - View commit details
-
Copy full SHA for 03bdaf7 - Browse repository at this point
Copy the full SHA 03bdaf7View commit details -
Signed-off-by: William Woodruff <william@trailofbits.com>
Configuration menu - View commit details
-
Copy full SHA for 476b8f4 - Browse repository at this point
Copy the full SHA 476b8f4View commit details -
gitignore, test: allow staging-tuf assets
Annoying. Signed-off-by: William Woodruff <william@trailofbits.com>
Configuration menu - View commit details
-
Copy full SHA for 3c88b26 - Browse repository at this point
Copy the full SHA 3c88b26View commit details
Commits on Dec 22, 2022
-
tuf: Switch to using f-strings for logging
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
Configuration menu - View commit details
-
Copy full SHA for d9aa72c - Browse repository at this point
Copy the full SHA d9aa72cView commit details -
Merge remote-tracking branch 'origin/main' into tuf-refactor
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
Configuration menu - View commit details
-
Copy full SHA for deadd3c - Browse repository at this point
Copy the full SHA deadd3cView commit details -
test: document TUF staging mock better
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for b1fdc9f - Browse repository at this point
Copy the full SHA b1fdc9fView commit details -
_internal/rekor: Mention updater arg in docsstrings
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for cf4e46f - Browse repository at this point
Copy the full SHA cf4e46fView commit details -
_internal/tuf: Reword a TODO into a NOTE
This is a potential improvement, not a necessary one. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for be7a6d7 - Browse repository at this point
Copy the full SHA be7a6d7View commit details -
_internal/tuf: Add nosec for mypy-related assert
Also tweak one annotation (remove unneeded quotes) Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Configuration menu - View commit details
-
Copy full SHA for b7c0bdb - Browse repository at this point
Copy the full SHA b7c0bdbView commit details -
Configuration menu - View commit details
-
Copy full SHA for e94d78c - Browse repository at this point
Copy the full SHA e94d78cView commit details -
_internal/tuf: replace nosec with type ignore
Signed-off-by: William Woodruff <william@trailofbits.com>
Configuration menu - View commit details
-
Copy full SHA for 4e7f680 - Browse repository at this point
Copy the full SHA 4e7f680View commit details