From 76e691beed54ccd72a08fae322fd2babec655f20 Mon Sep 17 00:00:00 2001
From: Hayden B <hblauzvern@google.com>
Date: Fri, 7 Jan 2022 17:57:46 -0800
Subject: [PATCH] Fix a few bugs in cosign initialize (#1280)

* In getRoot, the metadata is always stored at the top level,
  not under repository/.
* In Initialize, download all metadata and targets. This should
  avoid a disk write on verify.
* Use path instead of filepath for Windows

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
---
 pkg/cosign/tuf/client.go | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/pkg/cosign/tuf/client.go b/pkg/cosign/tuf/client.go
index 3dce9709cbf..b406d22ed07 100644
--- a/pkg/cosign/tuf/client.go
+++ b/pkg/cosign/tuf/client.go
@@ -138,11 +138,12 @@ func New(ctx context.Context, remote client.RemoteStore, cacheRoot string) (*TUF
 }
 
 func getRoot(meta map[string]json.RawMessage) (json.RawMessage, error) {
-	trustedRoot, ok := meta[filepath.Join("repository", "root.json")]
+	trustedRoot, ok := meta["root.json"]
 	if ok {
 		return trustedRoot, nil
 	}
-	trustedRoot, err := embeddedRootRepo.ReadFile("repository/root.json")
+	// On first initialize, there will be no root in the TUF DB, so read from embedded.
+	trustedRoot, err := embeddedRootRepo.ReadFile(path.Join("repository", "root.json"))
 	if err != nil {
 		return nil, err
 	}
@@ -175,6 +176,9 @@ func Initialize(remote client.RemoteStore, root []byte) error {
 	if err := c.Init(rootKeys, rootThreshold); err != nil {
 		return errors.Wrap(err, "initializing root")
 	}
+	if err := updateMetadataAndDownloadTargets(c, newFileImpl()); err != nil {
+		return errors.Wrap(err, "updating local metadata and targets")
+	}
 	return nil
 }
 
@@ -259,8 +263,12 @@ func getRootKeys(rootFileBytes []byte) ([]*data.PublicKey, int, error) {
 }
 
 func (t *TUF) updateMetadataAndDownloadTargets() error {
+	return updateMetadataAndDownloadTargets(t.client, t.targets)
+}
+
+func updateMetadataAndDownloadTargets(c *client.Client, t targetImpl) error {
 	// Download updated targets and cache new metadata and targets in ${TUF_ROOT}.
-	targetFiles, err := t.client.Update()
+	targetFiles, err := c.Update()
 	if err != nil && !client.IsLatestSnapshot(err) {
 		return errors.Wrap(err, "updating tuf metadata")
 	}
@@ -269,10 +277,10 @@ func (t *TUF) updateMetadataAndDownloadTargets() error {
 	// If the cache directory is enabled, update that too.
 	for name := range targetFiles {
 		buf := bytes.Buffer{}
-		if err := downloadRemoteTarget(name, t.client, &buf); err != nil {
+		if err := downloadRemoteTarget(name, c, &buf); err != nil {
 			return err
 		}
-		if err := t.targets.Set(name, buf.Bytes()); err != nil {
+		if err := t.Set(name, buf.Bytes()); err != nil {
 			return err
 		}
 	}