Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generate trusted_root.json in the TUF server #1235

Merged
merged 6 commits into from
Aug 29, 2024

Conversation

bkabrda
Copy link
Contributor

@bkabrda bkabrda commented Aug 22, 2024

Summary

This PR replaces #1191 and is the last PR to address #1182 to make the TUF server useful for prod deployment - it allows for generating the trusted_root.json file and serving it as one of the TUF targets. It does the same as #1191, but uses the new functionality from sigstore-go.

Release Note

The TUF server was improved to generate a trusted_root.json target from the supplied files.

Documentation

I don't believe that the TUF server is even documented anywhere, so I don't think documentation change is required, but please let me know if I'm wrong about that.

@bkabrda
Copy link
Contributor Author

bkabrda commented Aug 22, 2024

FWIW this is also related to #1001 - it addresses the part the TUF server to ensure it generates trusted_root.json (but also to keep the old-style targets for now).

noK8s = flag.Bool("no-k8s", false, "Run in a non-k8s environment")
keysSecretName = flag.String("keyssecret", "", "Name of the secret to create for generated keys (keys won't be stored unless this is provided)")
noK8s = flag.Bool("no-k8s", false, "Run in a non-k8s environment")
metadataTargets = flag.Bool("metadata-targets", true, "Serve individual targets with custom Sigstore metadata")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding this flag - Can we add some more wording about this being deprecated in the future in favor of only using the trust root?

pkg/repo/repo.go Outdated

func getTargetUsage(name string) string {
for _, knownTargetType := range []string{FulcioTarget, RekorTarget, CTFETarget, TSATarget} {
if strings.Contains(name, strings.ToLower(knownTargetType)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we strings.ToLower(name) as well?

pkg/repo/repo.go Outdated
// * CreateRepoOptions.AddMetadataTargets: true
// * CreateRepoOptions.AddTrustedRoot: false
func CreateRepo(ctx context.Context, files map[string][]byte) (tuf.LocalStore, string, error) {
return CreateRepoWithOptions(ctx, files, CreateRepoOptions{AddMetadataTargets: true, AddTrustedRoot: false})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we set both to True by default?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My point here was to preserve backwards compatibility of what this function used to do before. If you think that is not an issue, I definitely can do that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm good with making the change - it adds a file, so it shouldn't be a change that causes compatibility issues.

pkg/repo/repo.go Show resolved Hide resolved
pkg/repo/repo.go Show resolved Hide resolved
return CreateRepoWithOptions(ctx, files, CreateRepoOptions{AddMetadataTargets: true, AddTrustedRoot: false})
}

func constructTrustedRoot(targets []TargetWithMetadata) (*TargetWithMetadata, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a test for this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I will do that.

@bkabrda
Copy link
Contributor Author

bkabrda commented Aug 26, 2024

@haydentherapper I think I addressed all points from your review, except the one about perhaps the one about some docs - I can address that if you can advise where to put the docs. Thanks!

@haydentherapper
Copy link
Contributor

Thanks, I left a comment about where we could put some docs!

@bkabrda
Copy link
Contributor Author

bkabrda commented Aug 27, 2024

@haydentherapper thanks for the pointer, done!

Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a few nits

now := time.Now()

// we sort the targets by Name, this results in intermediary certs being sorted correctly,
// as long as there is less than 10, which is ok to assume for the purposes of this code
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a note about this in documentation?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The README modification that I did says:

* `<target>_root.crt.pem`, e.g. `tsa_root.crt.pem`
* `<target>_intermediate_0.crt.pem`, e.g. `tsa_intermediate_0.crt.pem`
* `<target>_intermediate_1.crt.pem`, e.g. `tsa_intermediate_1.crt.pem`
* (more intermediates, but at most 10 intermediate certificates altogether)
* `<target>_leaf.crt.pem`, e.g. `tsa_leaf.crt.pem`

I don't see what's missing. Can you be more specific about what I should note?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I missed the comment about 10 intermediates, all good!

pkg/repo/repo.go Outdated Show resolved Hide resolved
pkg/repo/repo.go Outdated
certChain := []*x509.Certificate{}

// skip potential whitespace at end of file (8 is kinda random, but seems to work fine)
for len(rest) > 8 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we use https://pkg.go.dev/strings#TrimSpace instead?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good, I'll do that.

Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just need to rebase

pkg/repo/repo.go Outdated
rest := bytes.TrimSpace(certChainPem)
certChain := []*x509.Certificate{}

// skip potential whitespace at end of file (8 is kinda random, but seems to work fine)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can remove outdated comment too

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, sorry, I forgot about that.

bkabrda and others added 6 commits August 29, 2024 07:47
Signed-off-by: Slavek Kabrda <[email protected]>
Co-authored-by: Hayden B <[email protected]>
Signed-off-by: Slavek Kabrda <[email protected]>
Signed-off-by: Slavek Kabrda <[email protected]>
Signed-off-by: Slavek Kabrda <[email protected]>
@bkabrda
Copy link
Contributor Author

bkabrda commented Aug 29, 2024

@haydentherapper rebased and addressed the last comment. Thank you for the great review!

@bobcallaway bobcallaway merged commit 16ae89a into sigstore:main Aug 29, 2024
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants