Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TUF integration #274

Merged
merged 9 commits into from
Feb 2, 2023
Merged

TUF integration #274

merged 9 commits into from
Feb 2, 2023

Conversation

bdehamer
Copy link
Collaborator

Summary

Integrates the tuf-js library and wires it up to the Sigstore TUF repository.

The current implementation queries the TUF repo for the various Rekor/Fulcio/CTFE keys/certs and assembles them into a structure which matches TrustedRoot protobuf. At some point, the Sigstore TUF repo will provide a serialized version of the TrustedRoot directly and a lot of this code will go away (sigstore/root-signing#584).

@bdehamer bdehamer requested a review from a team as a code owner January 27, 2023 23:12
@bdehamer bdehamer force-pushed the bdehamer/tuf branch 2 times, most recently from deeaac8 to 7f6a9ef Compare January 27, 2023 23:27
feelepxyz
feelepxyz reviewed Jan 29, 2023
View reviewed changes
Copy link
Member

@feelepxyz feelepxyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! Looks broadly good, the one thing I'm wondering about is error handling in downstream users like npm. Will we be able to catch and show helpful errors or retry? Worth adding any tests around errors fetching these tuf files?

src/sigstore.ts Outdated Show resolved Hide resolved
src/tuf/index.ts Show resolved Hide resolved
src/tuf/index.ts Show resolved Hide resolved
@bdehamer bdehamer force-pushed the bdehamer/tuf branch 3 times, most recently from 8a53f0f to f6fd64c Compare January 31, 2023 16:49
@bdehamer
Copy link
Collaborator Author

I'm wondering about is error handling in downstream users like npm. Will we be able to catch and show helpful errors or retry? Worth adding any tests around errors fetching these tuf files?

I updated things a bit so that errors thrown from our TUF client are caught and rethrown as something that will be more friendly to sigstore-js consumers. Retry on error is already something baked-in to the TUF client so we don't need to do anything here.

kommendorkapten
kommendorkapten reviewed Feb 1, 2023
View reviewed changes
src/sigstore.ts Outdated Show resolved Hide resolved
kommendorkapten
kommendorkapten reviewed Feb 1, 2023
View reviewed changes
src/tuf/index.ts Outdated Show resolved Hide resolved
@kommendorkapten
Copy link
Member

Nice job 👍

@bdehamer
add tuf-js dependency
51c9a60 
Signed-off-by: Brian DeHamer <[email protected]>
@bdehamer
set-up trustedRoot test fixture
484f729 
Signed-off-by: Brian DeHamer <[email protected]>
@bdehamer
add sigstore TUF map.json and root metadata
224990d 
Signed-off-by: Brian DeHamer <[email protected]>
@bdehamer
update pem util to support multiple pem types
93e1810 
Signed-off-by: Brian DeHamer <[email protected]>
@bdehamer
add TrustedRootFetcher class
c2d1cc9 
Assembles a TrustedRoot from cert/key material in the Sigstore TUF
repository.

Signed-off-by: Brian DeHamer <[email protected]>
@bdehamer
Wire getTrustedRoot to Sigstore TUF repo
6de023c 
Signed-off-by: Brian DeHamer <[email protected]>
@bdehamer
tuf cache fallback to temp dir
c954f08 
Signed-off-by: Brian DeHamer <[email protected]>
@bdehamer
wrap TUF client errors
f910f3d 
Signed-off-by: Brian DeHamer <[email protected]>
@bdehamer
code review feedback
6ccf8d0 
Signed-off-by: Brian DeHamer <[email protected]>
kommendorkapten
kommendorkapten approved these changes Feb 2, 2023
View reviewed changes
Copy link
Member

@kommendorkapten kommendorkapten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work!

@bdehamer bdehamer merged commit 720113c into main Feb 2, 2023
@bdehamer bdehamer deleted the bdehamer/tuf branch February 2, 2023 17:40
feelepxyz
feelepxyz reviewed Feb 6, 2023
View reviewed changes
src/sigstore.ts
function defaultCacheDir(): string {
let cacheRootDir = os.homedir();
try {
fs.accessSync(os.homedir(), fs.constants.W_OK | fs.constants.R_OK);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TIL about fs.access, nice!

@feelepxyz
Copy link
Member

Awesome work getting this in! 🥳

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@feelepxyz feelepxyz feelepxyz left review comments

@kommendorkapten kommendorkapten kommendorkapten approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bdehamer @kommendorkapten @feelepxyz