Fix a few bugs in cosign initialize (#1280)

* In getRoot, the metadata is always stored at the top level, not under repository/. * In Initialize, download all metadata and targets. This should avoid a disk write on verify. * Use path instead of filepath for Windows Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
sigstore · Jan 8, 2022 · 76e691b · 76e691b
1 parent b9d0d4a
commit 76e691b
Showing 1 changed file with 13 additions and 5 deletions.
diff --git a/pkg/cosign/tuf/client.go b/pkg/cosign/tuf/client.go
@@ -138,11 +138,12 @@ func New(ctx context.Context, remote client.RemoteStore, cacheRoot string) (*TUF
 }
 
 func getRoot(meta map[string]json.RawMessage) (json.RawMessage, error) {
-	trustedRoot, ok := meta[filepath.Join("repository", "root.json")]
+	trustedRoot, ok := meta["root.json"]
 	if ok {
 		return trustedRoot, nil
 	}
-	trustedRoot, err := embeddedRootRepo.ReadFile("repository/root.json")
+	// On first initialize, there will be no root in the TUF DB, so read from embedded.
+	trustedRoot, err := embeddedRootRepo.ReadFile(path.Join("repository", "root.json"))
 	if err != nil {
 		return nil, err
 	}
@@ -175,6 +176,9 @@ func Initialize(remote client.RemoteStore, root []byte) error {
 	if err := c.Init(rootKeys, rootThreshold); err != nil {
 		return errors.Wrap(err, "initializing root")
 	}
+	if err := updateMetadataAndDownloadTargets(c, newFileImpl()); err != nil {
+		return errors.Wrap(err, "updating local metadata and targets")
+	}
 	return nil
 }
 
@@ -259,8 +263,12 @@ func getRootKeys(rootFileBytes []byte) ([]*data.PublicKey, int, error) {
 }
 
 func (t *TUF) updateMetadataAndDownloadTargets() error {
+	return updateMetadataAndDownloadTargets(t.client, t.targets)
+}
+
+func updateMetadataAndDownloadTargets(c *client.Client, t targetImpl) error {
 	// Download updated targets and cache new metadata and targets in ${TUF_ROOT}.
-	targetFiles, err := t.client.Update()
+	targetFiles, err := c.Update()
 	if err != nil && !client.IsLatestSnapshot(err) {
 		return errors.Wrap(err, "updating tuf metadata")
 	}
@@ -269,10 +277,10 @@ func (t *TUF) updateMetadataAndDownloadTargets() error {
 	// If the cache directory is enabled, update that too.
 	for name := range targetFiles {
 		buf := bytes.Buffer{}
-		if err := downloadRemoteTarget(name, t.client, &buf); err != nil {
+		if err := downloadRemoteTarget(name, c, &buf); err != nil {
 			return err
 		}
-		if err := t.targets.Set(name, buf.Bytes()); err != nil {
+		if err := t.Set(name, buf.Bytes()); err != nil {
 			return err
 		}
 	}