Fetch verification targets by TUF custom metadata #1423
Conversation
haydentherapper
force-pushed
the
verify-old
branch
from
cb78b01
to
aad1f53
Compare
|
These test failures look related to the PR, any idea? |
haydentherapper
force-pushed
the
verify-old
branch
from
9d29d19
to
10987bd
Compare
|
Reran tests, the unit tests succeeded (I saw the flaky "timestamp.json" off by two bytes), but the KinD e2e tests are failing. Investigating now |
|
It appears the tests collided with an ongoing distroless release. It pulled the latest image before signing was complete. No more errors! |
haydentherapper
force-pushed
the
verify-old
branch
from
bd2fb54
to
e8d3e91
Compare
|
Cc @znewman01 could you take a look? |
Yup, sometime in the next couple hours. |
haydentherapper
force-pushed
the
verify-old
branch
from
1c0bdc9
to
a911047
Compare
|
|
||
| import "testing" | ||
|
|
||
| func TestGetFulcioRoots(t *testing.T) { |
There was a problem hiding this comment.
Pardon my unfamiliarity with the codebase here.
I don't really understand this test -- we make a TUF client using tuf.NewFromEnv() which AFAICT looks in ~/.sigstore/root by default. Is there some test fixture that sets TUF up for us?
There was a problem hiding this comment.
You're correct, this just ends up relying on the embedded root. I want to refactor the tests in a later PR to use the test utility newTufCustomRepo or newTufRepo so we can generate an instance of the TUF repository that we can easily manipulate to test different edge cases. For now, this test just aims to increase code coverage and exercise Get.
| t.Error(err) | ||
| } | ||
| if l := dirLen(t, tufRoot); l == 0 { | ||
| t.Errorf("expected filesystem writes, got %d entries", l) |
There was a problem hiding this comment.
I'm a little puzzled by "expected filesystem writes". Can you clarify?
There was a problem hiding this comment.
It's a check to make sure Initialize wrote something to the tufRoot directory.
| if err != nil { | ||
| return err | ||
| } | ||
| // Is there a reason why this must be ECDSA key? |
There was a problem hiding this comment.
The code makes assumptions about all of the TUF targets. We should clearly document these assumptions in cosign/root-signing. We could add support for other keys if there was a need, and it might come up with BYO-TUF. I'd encourage others to use ECDSA, primarily because you can have much smaller keys and get the same security strength.
|
|
||
| import "testing" | ||
|
|
||
| func TestGetFulcioRoots(t *testing.T) { |
There was a problem hiding this comment.
You're correct, this just ends up relying on the embedded root. I want to refactor the tests in a later PR to use the test utility newTufCustomRepo or newTufRepo so we can generate an instance of the TUF repository that we can easily manipulate to test different edge cases. For now, this test just aims to increase code coverage and exercise Get.
| if err != nil { | ||
| return err | ||
| } | ||
| // Is there a reason why this must be ECDSA key? |
There was a problem hiding this comment.
The code makes assumptions about all of the TUF targets. We should clearly document these assumptions in cosign/root-signing. We could add support for other keys if there was a need, and it might come up with BYO-TUF. I'd encourage others to use ECDSA, primarily because you can have much smaller keys and get the same security strength.
| t.Error(err) | ||
| } | ||
| if l := dirLen(t, tufRoot); l == 0 { | ||
| t.Errorf("expected filesystem writes, got %d entries", l) |
There was a problem hiding this comment.
It's a check to make sure Initialize wrote something to the tufRoot directory.
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
This uses GetTargetsByMeta to read the targets using the custom metadata, or fallback to the old targets by filename. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
haydentherapper
force-pushed
the
verify-old
branch
from
2b118ec
to
4a8f560
Compare
* Add TUF client method for fetching by metadata Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Fetch verification targets by TUF custom metadata This uses GetTargetsByMeta to read the targets using the custom metadata, or fallback to the old targets by filename. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Resolve PR comments, linter, and update tests Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
* Add TUF client method for fetching by metadata Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Fetch verification targets by TUF custom metadata This uses GetTargetsByMeta to read the targets using the custom metadata, or fallback to the old targets by filename. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Resolve PR comments, linter, and update tests Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Summary
Continuing #1273, this adds support for fetching a list of TUF targets by custom metadata. This will be used for verification using expired/rotated targets. All targets will be persisted in the TUF target metadata. Only one will be marked as
activewhile the others are marked asexpired.The custom metadata on a target looks like looks like:
Possible statuses are
activeorexpired, and possible usages arefulcio,rekor, andctfe.unknownis also supported for each as a default value.To test this, I:
Next steps:
Statusof the custom metadata to inform users when verifying with an expired targetTicket Link
Fixes #1342
Ref #1273
Release Note