Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to latest Sigstore TUF client #3548

Open
haydentherapper opened this issue Feb 20, 2024 · 2 comments · May be fixed by #3844
Open

Upgrade to latest Sigstore TUF client #3548

haydentherapper opened this issue Feb 20, 2024 · 2 comments · May be fixed by #3844
Assignees
Labels
enhancement New feature or request pre-theseus

Comments

@haydentherapper
Copy link
Contributor

haydentherapper commented Feb 20, 2024

Description

Tracking issue for the using the new Sigstore TUF client, https://github.com/sigstore/sigstore-go/blob/main/pkg/tuf/client.go. This client adds support for using the new trusted root metadata and improves caching logic.

This removes support for the per-target custom metadata, ie https://github.com/sigstore/scaffolding/blob/b0d09de38f7ea4ee5939a52cebadbc7127d4e127/pkg/repo/repo.go#L44-L48, which is used for private deployments. Given this will be a breaking change in Cosign, we can either switch to this client as part of Cosign 3.0, announce deprecation and wait X months, or support both TUF clients via a flag (temporarily, we would still announce deprecation of the previous TUF client).

cc @codysoyland @kommendorkapten

Ref: sigstore/scaffolding#1001

@haydentherapper haydentherapper added the enhancement New feature or request label Feb 20, 2024
@haydentherapper
Copy link
Contributor Author

haydentherapper commented Feb 29, 2024

A few implementation notes:

  • We likely can support both TUF clients concurrently without a flag. We may be able to use the same cache folder too, needs confirmation.
  • We'll need to modify how the individual service targets are fetched, as the API differs between the previous and new sigstore TUF clients
  • We should update the e2e tests to generate the trusted root file and serve a local TUF repository
  • To test, we simply need to initialize against the production TUF repo, which is currently distributing a trusted root file

@haydentherapper
Copy link
Contributor Author

Another implementation note, as per sigstore/sigstore-go#38, we can now initialize multiple clients for different repositories each with its own local cache, which covers the use case of verifying against multiple trusted roots (eg the public instance + a private instance). We can add this around the same time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request pre-theseus
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants