Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make changes to Sigstore initialize #747

Merged
merged 1 commit into from
Oct 15, 2021
Merged

Make changes to Sigstore initialize #747

merged 1 commit into from
Oct 15, 2021

Conversation

asraa
Copy link
Contributor

@asraa asraa commented Sep 21, 2021
edited

Signed-off-by: Asra Ali asraa@google.com

Summary

Ticket Link

Fixes

Release Note

* Embedded the current Sigstore TUF repository metadata so that network calls do not occur when retrieving targets for verification unless metadata is expired or `cosign initialize` is explicitly run.
* Allowed a user to specify their own TUF repository root for verification targets by using `cosign initialize --root $ROOT --mirror $MIRROR`
  • Only makes network calls when the embedded or cached root is expired, or cosign initialize is explicitly run to check for updates (or a new root is provided)
  • Whenever a network call is made, the resulting new metadata is cached locally -- there is a TODO marked in the code as a follow up to respect an environment variable to not write locally.

@asraa asraa force-pushed the make-changes-cosign-init branch 2 times, most recently from f7021c8 to 301ac22 Compare September 28, 2021 17:42
@asraa asraa changed the title WIP Update sigstore root ux Make changes to Sigstore initialize Sep 28, 2021
@asraa asraa force-pushed the make-changes-cosign-init branch 2 times, most recently from 182246e to d02ca31 Compare September 28, 2021 17:54
@asraa
Copy link
Contributor Author

asraa commented Sep 28, 2021

This is ready for review now

dekkagaijin
dekkagaijin reviewed Sep 28, 2021
View reviewed changes
cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go
panic("error creating root cert pool")
}
if err := tuf.GetTarget(ctx, fulcioTargetStr, &buf); err != nil {
panic(errors.Wrap(err, "creating root cert pool"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason why we're using panics instead of errors in this package?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This really shouldn't happen, but I'm not sure -- kind of was following existing code. We really should be getting these targets for any cosign verification, most of the callers expect these targets to be available.

I can plumb through errors, but it'll touch a bit of code

@n3wscott
Copy link
Contributor

n3wscott commented Oct 1, 2021

So sorry, I moved these files to keep them isolated. Can you rebase?

@asraa
Copy link
Contributor Author

asraa commented Oct 7, 2021

updated!

@dlorenc
Copy link
Member

dlorenc commented Oct 7, 2021

Looks like there's still a conflict :(

@asraa
Copy link
Contributor Author

asraa commented Oct 7, 2021

because somehow i never pushed :P thanks!

@dlorenc
Copy link
Member

dlorenc commented Oct 7, 2021

Looks like just a few lint errors now!

@asraa
update root ux
c160e42 
Signed-off-by: Asra Ali <asraa@google.com>
@dlorenc dlorenc merged commit 7d2d51d into sigstore:main Oct 15, 2021
@github-actions github-actions bot added this to the v1.3.0 milestone Oct 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dekkagaijin dekkagaijin dekkagaijin left review comments

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.3.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@asraa @n3wscott @dlorenc @dekkagaijin