Sync TUF cache used for sigstore bundle verification #166
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Meredith Lancaster <malancas@github.com>
malancas
changed the title
phillmv
reviewed
Jun 14, 2024
pkg/tuf/repo.go
Outdated
| ) | ||
|
|
||
| // GetTrustedRoot returns the trusted root for the TUF repository. | ||
| func GetTrustedRoot() (*root.TrustedRoot, error) { | ||
| once.Do(func() { | ||
| now := time.Now().UTC() | ||
| if timestamp.IsZero() || timestamp.Before(now.Add(-24*time.Hour)) { |
There was a problem hiding this comment.
🤔 Before(now.Add(-24*Hour) doesn't quite roll off the tongue. What about,
is now 24hrs after the last time we checked?
now.After(timestamp.Add(24*time.Hour))
(assuming I didn't mess up the math, time math is notoriously tricky)
There was a problem hiding this comment.
That seems easier to understand to me
Signed-off-by: Meredith Lancaster <malancas@github.com>
codysoyland
pushed a commit
that referenced
this pull request
Jun 24, 2024
* sync tuf cache used for sigstore bundle verification Signed-off-by: Meredith Lancaster <malancas@github.com> * remove singleton err Signed-off-by: Meredith Lancaster <malancas@github.com> * start adding lock Signed-off-by: Meredith Lancaster <malancas@github.com> * Use RWMutex Signed-off-by: Meredith Lancaster <malancas@github.com> * pr feedback Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>
codysoyland
pushed a commit
that referenced
this pull request
Jul 9, 2024
* sync tuf cache used for sigstore bundle verification Signed-off-by: Meredith Lancaster <malancas@github.com> * remove singleton err Signed-off-by: Meredith Lancaster <malancas@github.com> * start adding lock Signed-off-by: Meredith Lancaster <malancas@github.com> * Use RWMutex Signed-off-by: Meredith Lancaster <malancas@github.com> * pr feedback Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>
codysoyland
pushed a commit
that referenced
this pull request
Sep 16, 2024
* sync tuf cache used for sigstore bundle verification Signed-off-by: Meredith Lancaster <malancas@github.com> * remove singleton err Signed-off-by: Meredith Lancaster <malancas@github.com> * start adding lock Signed-off-by: Meredith Lancaster <malancas@github.com> * Use RWMutex Signed-off-by: Meredith Lancaster <malancas@github.com> * pr feedback Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>
codysoyland
pushed a commit
that referenced
this pull request
Oct 10, 2024
* sync tuf cache used for sigstore bundle verification Signed-off-by: Meredith Lancaster <malancas@github.com> * remove singleton err Signed-off-by: Meredith Lancaster <malancas@github.com> * start adding lock Signed-off-by: Meredith Lancaster <malancas@github.com> * Use RWMutex Signed-off-by: Meredith Lancaster <malancas@github.com> * pr feedback Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>
codysoyland
pushed a commit
that referenced
this pull request
Nov 18, 2024
* sync tuf cache used for sigstore bundle verification Signed-off-by: Meredith Lancaster <malancas@github.com> * remove singleton err Signed-off-by: Meredith Lancaster <malancas@github.com> * start adding lock Signed-off-by: Meredith Lancaster <malancas@github.com> * Use RWMutex Signed-off-by: Meredith Lancaster <malancas@github.com> * pr feedback Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>
codysoyland
pushed a commit
that referenced
this pull request
Jan 7, 2025
* sync tuf cache used for sigstore bundle verification Signed-off-by: Meredith Lancaster <malancas@github.com> * remove singleton err Signed-off-by: Meredith Lancaster <malancas@github.com> * start adding lock Signed-off-by: Meredith Lancaster <malancas@github.com> * Use RWMutex Signed-off-by: Meredith Lancaster <malancas@github.com> * pr feedback Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>
codysoyland
pushed a commit
that referenced
this pull request
Mar 27, 2025
* sync tuf cache used for sigstore bundle verification Signed-off-by: Meredith Lancaster <malancas@github.com> * remove singleton err Signed-off-by: Meredith Lancaster <malancas@github.com> * start adding lock Signed-off-by: Meredith Lancaster <malancas@github.com> * Use RWMutex Signed-off-by: Meredith Lancaster <malancas@github.com> * pr feedback Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>
codysoyland
pushed a commit
that referenced
this pull request
Apr 10, 2025
* sync tuf cache used for sigstore bundle verification Signed-off-by: Meredith Lancaster <malancas@github.com> * remove singleton err Signed-off-by: Meredith Lancaster <malancas@github.com> * start adding lock Signed-off-by: Meredith Lancaster <malancas@github.com> * Use RWMutex Signed-off-by: Meredith Lancaster <malancas@github.com> * pr feedback Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>
jkylekelly
pushed a commit
that referenced
this pull request
Jul 24, 2025
Signed-off-by: Cody Soyland <codysoyland@github.com> Sync TUF cache used for sigstore bundle verification (#166) * sync tuf cache used for sigstore bundle verification Signed-off-by: Meredith Lancaster <malancas@github.com> * remove singleton err Signed-off-by: Meredith Lancaster <malancas@github.com> * start adding lock Signed-off-by: Meredith Lancaster <malancas@github.com> * Use RWMutex Signed-off-by: Meredith Lancaster <malancas@github.com> * pr feedback Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com> Fix shadowed trustedroot (#178) * Fix shadowed variable bug This code caused the singleton `trustedRoot` to be returned as nil on subsequent calls. The singleton was shadowed when the variable was redeclared in the `if` block. Signed-off-by: Cody Soyland <codysoyland@github.com> * Remove unused singleton `singletonRootError` was never returned without being overwritten, so it was essentially unused. I think it's wise to always retry the TUF call on future invocations in case of network errors. Signed-off-by: Cody Soyland <codysoyland@github.com> --------- Signed-off-by: Cody Soyland <codysoyland@github.com> Update go.mod Signed-off-by: Cody Soyland <codysoyland@github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Part of https://github.com/github/package-security/issues/1732
Update
GetTrustedRootto sync the TUF cache every 24 hours. I will look into threading the newtrustroot-resync-periodflag down to this function to the resync period is no longer hardcoded in a follow up.