update root ux

Signed-off-by: Asra Ali <asraa@google.com>

cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go

@@ -25,8 +25,7 @@ import (
 	"strings"
 	"sync"
 
-	_ "embed" // To enable the `go:embed` directive.
-
+	"github.com/pkg/errors"
 	"github.com/sigstore/cosign/pkg/cosign/tuf"
 )
 
@@ -36,9 +35,6 @@ var (
 )
 
 // This is the root in the fulcio project.
-//go:embed fulcio.pem
-var rootPem string
-
 var fulcioTargetStr = `fulcio.crt.pem`
 
 const (
@@ -64,22 +60,17 @@ func initRoots() *x509.CertPool {
 			panic("error creating root cert pool")
 		}
 	} else {
-		// First try retrieving from TUF root. Otherwise use rootPem.
+		// Retrieve from the embedded or cached TUF root. If expired, a network
+		// call is made to update the root.
 		ctx := context.Background() // TODO: pass in context?
 		buf := tuf.ByteDestination{Buffer: &bytes.Buffer{}}
-		err := tuf.GetTarget(ctx, fulcioTargetStr, &buf)
-		if err != nil {
-			// The user may not have initialized the local root metadata. Log the error and use the embedded root.
-			fmt.Fprintln(os.Stderr, "No TUF root installed, using embedded CA certificate.")
-			if !cp.AppendCertsFromPEM([]byte(rootPem)) {
-				panic("error creating root cert pool")
-			}
-		} else {
-			// TODO: Remove the string replace when SigStore root is updated.
-			replaced := strings.ReplaceAll(buf.String(), "\n  ", "\n")
-			if !cp.AppendCertsFromPEM([]byte(replaced)) {
-				panic("error creating root cert pool")
-			}
+		if err := tuf.GetTarget(ctx, fulcioTargetStr, &buf); err != nil {
+			panic(errors.Wrap(err, "creating root cert pool"))
+		}
+		// TODO: Remove the string replace when SigStore root is updated.
+		replaced := strings.ReplaceAll(buf.String(), "\n  ", "\n")
+		if !cp.AppendCertsFromPEM([]byte(replaced)) {
+			panic("error creating root cert pool")
 		}
 	}
 	return cp

cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go

@@ -16,8 +16,8 @@
 package fulcioverifier
 
 import (
+	"bytes"
 	"context"
-	_ "embed" // To enable the `go:embed` directive.
 	"encoding/json"
 	"fmt"
 	"os"
@@ -30,19 +30,31 @@ import (
 
 	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
 	"github.com/sigstore/cosign/pkg/cosign"
+	"github.com/sigstore/cosign/pkg/cosign/tuf"
 	fulcioClient "github.com/sigstore/fulcio/pkg/generated/client"
 )
 
-// This is the CT log public key
-//go:embed ctfe.pub
-var ctPublicKey string
+// This is the CT log public key target name
+var ctPublicKeyStr = `ctfe.pub`
+
+func getCTPub() string {
+	ctx := context.Background() // TODO: pass in context?
+	buf := tuf.ByteDestination{Buffer: &bytes.Buffer{}}
+	// Retrieves the CT public key from the embedded or cached TUF root. If expired, makes a
+	// network call to retrieve the updated target.
+	if err := tuf.GetTarget(ctx, ctPublicKeyStr, &buf); err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		panic("error retrieving CT public key")
+	}
+	return buf.String()
+}
 
 // verifySCT verifies the SCT against the Fulcio CT log public key
 // The SCT is a `Signed Certificate Timestamp`, which promises that
 // the certificate issued by Fulcio was also added to the public CT log within
 // some defined time period
 func verifySCT(certPEM, rawSCT []byte) error {
-	pubKey, err := cosign.PemToECDSAKey([]byte(ctPublicKey))
+	pubKey, err := cosign.PemToECDSAKey([]byte(getCTPub()))
 	if err != nil {
 		return err
 	}

cmd/cosign/cli/initialize/init.go

@@ -21,14 +21,10 @@ import (
 	"flag"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-
 	"github.com/sigstore/cosign/pkg/blob"
-	ctuf "github.com/sigstore/cosign/pkg/cosign/tuf"
+	"github.com/sigstore/cosign/pkg/cosign/tuf"
 )
 
-//go:embed 1.root.json
-var initialRoot string
-
 func Initialize() *ffcli.Command {
 	var (
 		flagset = flag.NewFlagSet("cosign initialize", flag.ExitOnError)
@@ -44,13 +40,14 @@ func Initialize() *ffcli.Command {
 		LongHelp: `Initializes SigStore root to retrieve trusted certificate and key targets for verification.
 
 The following options are used by default:
-	- The initial 1.root.json is embedded inside cosign.
-	- SigStore current TUF repository is pulled from the GCS mirror at sigstore-tuf-root.
+	- The current trusted Sigstore TUF root is embedded inside cosign at the time of release.
+	- SigStore remote TUF repository is pulled from the GCS mirror at sigstore-tuf-root.
 	- A default threshold of 3 root signatures is used. 
 
 To provide an out-of-band trusted initial root.json, use the -root flag with a file or URL reference.
+This will enable you to point cosign to a separate TUF root.
 
-The resulting updated TUF repository will be written to $HOME/.sigstore/root/. 
+Any updated TUF repository will be written to $HOME/.sigstore/root/.
 
 Trusted keys and certificate used in cosign verification (e.g. verifying Fulcio issued certificates 
 with Fulcio root CA) are pulled form the trusted metadata.
@@ -59,8 +56,8 @@ EXAMPLES
   # initialize root with distributed root keys, default mirror, and default out path.
   cosign initialize
 
-  # initialize with an out-of-band root key file.
-  cosign initialize
+  # initialize with an out-of-band root key file, using the default mirror.
+  cosign initialize -root <url>
 
   # initialize with an out-of-band root key file and custom repository mirror.
   cosign initialize -mirror <url> -root <url>
@@ -69,24 +66,27 @@ EXAMPLES
 		Exec: func(ctx context.Context, args []string) error {
 			// Get the initial trusted root contents.
 			var rootFileBytes []byte
-			if *root == "" {
-				rootFileBytes = []byte(initialRoot)
-			} else {
-				var err error
+			var err error
+			if *root != "" {
 				rootFileBytes, err = blob.LoadFileOrURL(*root)
 				if err != nil {
 					return err
 				}
+			} else {
+				rootFileBytes, err = tuf.GetEmbeddedRoot()
+				if err != nil {
+					return err
+				}
 			}
 
 			// Initialize the remote repository.
-			remote, err := ctuf.GcsRemoteStore(ctx, *mirror, nil, nil)
+			remote, err := tuf.GcsRemoteStore(ctx, *mirror, nil, nil)
 			if err != nil {
 				return err
 			}
 
 			// Initialize and update the local SigStore root.
-			return ctuf.Init(ctx, rootFileBytes, remote, *threshold)
+			return tuf.Init(context.Background(), rootFileBytes, remote, *threshold)
 		},
 	}
 }

pkg/cosign/tlog.go

@@ -20,11 +20,8 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
-	"os"
 	"strings"
 
-	_ "embed" // To enable the `go:embed` directive.
-
 	"github.com/go-openapi/strfmt"
 	"github.com/go-openapi/swag"
 	"github.com/google/trillian/merkle/logverifier"
@@ -41,20 +38,16 @@ import (
 	rekord_v001 "github.com/sigstore/rekor/pkg/types/rekord/v0.0.1"
 )
 
-// This is rekor's public key, via `curl -L rekor.sigstore.dev/api/ggcrv1/log/publicKey`
-// rekor.pub should be updated whenever the Rekor public key is rotated & the bundle annotation should be up-versioned
-//go:embed rekor.pub
-var rekorPub string
+// This is the rekor public key target name
 var rekorTargetStr = `rekor.pub`
 
 func GetRekorPub() string {
 	ctx := context.Background() // TODO: pass in context?
 	buf := tuf.ByteDestination{Buffer: &bytes.Buffer{}}
-	err := tuf.GetTarget(ctx, rekorTargetStr, &buf)
-	if err != nil {
-		// The user may not have initialized the local root metadata. Log the error and use the embedded root.
-		fmt.Fprintln(os.Stderr, "No TUF root installed, using embedded rekor key")
-		return rekorPub
+	// Retrieves the rekor public key from the embedded or cached TUF root. If expired, makes a
+	// network call to retrieve the updated target.
+	if err := tuf.GetTarget(ctx, rekorTargetStr, &buf); err != nil {
+		panic("error retrieving rekor public key")
 	}
 	return buf.String()
 }