Update TUF client to support options and add LiveTrustedRoot (#41)

* Update TUF client to support options and add LiveTrustedRoot

Signed-off-by: Cody Soyland <[email protected]>

* Make sure DefaultOptions never fails

Signed-off-by: Fredrik Skogman <[email protected]>

* avoid empty strings for arguments, use named attributes

Signed-off-by: Fredrik Skogman <[email protected]>

* Ignore emacs backup files

Signed-off-by: Fredrik Skogman <[email protected]>

* Created a bascig config file for the tuf client

Signed-off-by: Fredrik Skogman <[email protected]>

* Style fixes

Signed-off-by: Fredrik Skogman <[email protected]>

* Made consistent snapshot configurable

Signed-off-by: Fredrik Skogman <[email protected]>

* Clarified the use of unsafe local mode

Signed-off-by: Fredrik Skogman <[email protected]>

* Updated to go-tuf/v2@master

Signed-off-by: Fredrik Skogman <[email protected]>

* Resolved merge conflict

Signed-off-by: Fredrik Skogman <[email protected]>

* Fixed errors from linter

Signed-off-by: Fredrik Skogman <[email protected]>

* Use short variable declaration syntax

Co-authored-by: Hayden B <[email protected]>
Signed-off-by: Cody Soyland <[email protected]>

* Remove old unused embedded root

Signed-off-by: Cody Soyland <[email protected]>

* Add func to fetch TUF root with given options

Signed-off-by: Cody Soyland <[email protected]>

* Add chainable functional options to Options struct

Signed-off-by: Cody Soyland <[email protected]>

* Update CodeQL action

Signed-off-by: Cody Soyland <[email protected]>

* Setup Go version in CodeQL workflwo

Signed-off-by: Cody Soyland <[email protected]>

* Don't specify minor go version

Signed-off-by: Fredrik Skogman <[email protected]>

* Added a simple test for an offline cliant

Signed-off-by: Fredrik Skogman <[email protected]>

* Add TUF repo creation and basic test to create a client

Signed-off-by: Cody Soyland <[email protected]>

* Made the tuf root file configurable via the command line

Signed-off-by: Fredrik Skogman <[email protected]>

* Use consts from go-tuf

Signed-off-by: Cody Soyland <[email protected]>

* Add test to fetch target

Signed-off-by: Cody Soyland <[email protected]>

* Breakout publish

Signed-off-by: Cody Soyland <[email protected]>

* Add target support and refresh test

Signed-off-by: Cody Soyland <[email protected]>

* Add TUF caching tests

Signed-off-by: Cody Soyland <[email protected]>

* Remove unreachable code, add more tests

It is impossible to reach the timestamp checks in loadMetadata, as the preceeding code to load metadata and verify it will force an online refresh anyway, so at this point, the cache has already been updated.

Setting RemoteTargetsURL is not necessary as go-tuf will set that correctly by default.

Signed-off-by: Cody Soyland <[email protected]>

* Updated go-tuf

Signed-off-by: Fredrik Skogman <[email protected]>

* Updated to latest go-tuf

Signed-off-by: Fredrik Skogman <[email protected]>

* Clarified that the updates is replaced, not the actual tuf client

Signed-off-by: Fredrik Skogman <[email protected]>

* Updated to new error type (pointer)

Signed-off-by: Fredrik Skogman <[email protected]>

* Use 0 days for default CacheValidity

Signed-off-by: Cody Soyland <[email protected]>

* Clarify CacheValidity option and add NoCache/MaxCache consts

Signed-off-by: Cody Soyland <[email protected]>

---------

Signed-off-by: Cody Soyland <[email protected]>
Signed-off-by: Fredrik Skogman <[email protected]>
Co-authored-by: Fredrik Skogman <[email protected]>
Co-authored-by: Hayden B <[email protected]>

.github/workflows/codeql.yml

@@ -40,14 +40,19 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
+    - name: Setup Go
+      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      with:
+        go-version-file: ./go.mod
+
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1
+      uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1
+      uses: github/codeql-action/autobuild@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1
+      uses: github/codeql-action/analyze@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2

.gitignore

@@ -1,5 +1,6 @@
 .idea
 .DS_Store
+*~
 /sigstore-go
 /tufdata
 /conformance

cmd/conformance/main.go

@@ -57,10 +57,16 @@ func getTrustedRoot() root.TrustedMaterial {
 		if !ok {
 			log.Fatal("unable to get path")
 		}
-
-		tufDir := path.Join(path.Dir(filename), "tufdata")
-
-		trustedRootJSON, err = tuf.GetTrustedrootJSON("tuf-repo-cdn.sigstore.dev", tufDir)
+		opts := tuf.DefaultOptions()
+		opts.CachePath = path.Join(path.Dir(filename), "tufdata")
+		client, err := tuf.New(opts)
+		if err != nil {
+			log.Fatal(err)
+		}
+		trustedRootJSON, err = client.GetTarget("trusted_root.json")
+		if err != nil {
+			log.Fatal(err)
+		}
 	}
 
 	if err != nil {

cmd/sigstore-go/main.go

@@ -47,7 +47,7 @@ var onlineTlog *bool
 var trustedPublicKey *string
 var trustedrootJSONpath *string
 var tufRootURL *string
-var tufDirectory *string
+var tufTrustedRoot *string
 
 func init() {
 	artifact = flag.String("artifact", "", "Path to artifact to verify")
@@ -63,7 +63,7 @@ func init() {
 	trustedPublicKey = flag.String("publicKey", "", "Path to trusted public key")
 	trustedrootJSONpath = flag.String("trustedrootJSONpath", "examples/trusted-root-public-good.json", "Path to trustedroot JSON file")
 	tufRootURL = flag.String("tufRootURL", "", "URL of TUF root containing trusted root JSON file")
-	tufDirectory = flag.String("tufDirectory", "tufdata", "Directory to store TUF metadata")
+	tufTrustedRoot = flag.String("tufTrustedRoot", "", "Path to the trusted TUF root.json to bootstrap trust in the remote TUF repository")
 	flag.Parse()
 	if flag.NArg() == 0 {
 		usage()
@@ -120,20 +120,41 @@ func run() error {
 	identityPolicies = append(identityPolicies, verify.WithCertificateIdentity(certID))
 
 	var trustedMaterial = make(root.TrustedMaterialCollection, 0)
-	var trustedrootJSON []byte
+	var trustedRootJSON []byte
 
 	if *tufRootURL != "" {
-		trustedrootJSON, err = tuf.GetTrustedrootJSON(*tufRootURL, *tufDirectory)
+		opts := tuf.DefaultOptions()
+		opts.RepositoryBaseURL = *tufRootURL
+
+		// Load the tuf root.json if provided, if not use public good
+		if *tufTrustedRoot != "" {
+			rb, err := os.ReadFile(*tufTrustedRoot)
+			if err != nil {
+				return fmt.Errorf("failed to read %s: %w",
+					*tufTrustedRoot, err)
+			}
+			opts.Root = rb
+		}
+
+		client, err := tuf.New(opts)
+		if err != nil {
+			return err
+		}
+		trustedRootJSON, err = client.GetTarget("trusted_root.json")
+		if err != nil {
+			return err
+		}
 	} else if *trustedrootJSONpath != "" {
-		trustedrootJSON, err = os.ReadFile(*trustedrootJSONpath)
-	}
-	if err != nil {
-		return err
+		trustedRootJSON, err = os.ReadFile(*trustedrootJSONpath)
+		if err != nil {
+			return fmt.Errorf("failed to read %s: %w",
+				*trustedrootJSONpath, err)
+		}
 	}
 
-	if len(trustedrootJSON) > 0 {
+	if len(trustedRootJSON) > 0 {
 		var trustedRoot *root.TrustedRoot
-		trustedRoot, err = root.NewTrustedRootFromJSON(trustedrootJSON)
+		trustedRoot, err = root.NewTrustedRootFromJSON(trustedRootJSON)
 		if err != nil {
 			return err
 		}

examples/oci-image-verification/go.mod

@@ -2,6 +2,8 @@ module github.com/sigstore/sigstore-go/examples/oci-image-verification
 
 go 1.21
 
+replace github.com/sigstore/sigstore-go => ../../
+
 require (
 	github.com/google/go-containerregistry v0.19.0
 	github.com/sigstore/protobuf-specs v0.2.1
@@ -22,18 +24,18 @@ require (
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
-	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.22.0 // indirect
 	github.com/go-openapi/errors v0.21.0 // indirect
 	github.com/go-openapi/jsonpointer v0.20.2 // indirect
 	github.com/go-openapi/jsonreference v0.20.4 // indirect
 	github.com/go-openapi/loads v0.21.5 // indirect
-	github.com/go-openapi/runtime v0.26.2 // indirect
-	github.com/go-openapi/spec v0.20.13 // indirect
+	github.com/go-openapi/runtime v0.27.1 // indirect
+	github.com/go-openapi/spec v0.20.14 // indirect
 	github.com/go-openapi/strfmt v0.22.0 // indirect
-	github.com/go-openapi/swag v0.22.7 // indirect
-	github.com/go-openapi/validate v0.22.3 // indirect
+	github.com/go-openapi/swag v0.22.9 // indirect
+	github.com/go-openapi/validate v0.22.6 // indirect
 	github.com/google/certificate-transparency-go v1.1.7 // indirect
 	github.com/google/uuid v1.5.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@@ -60,7 +62,7 @@ require (
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/sigstore/rekor v1.3.4 // indirect
+	github.com/sigstore/rekor v1.3.5 // indirect
 	github.com/sigstore/timestamp-authority v1.2.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
@@ -71,28 +73,29 @@ require (
 	github.com/spf13/viper v1.18.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
 	github.com/vbatts/tar-split v0.11.3 // indirect
 	go.mongodb.org/mongo-driver v1.13.1 // indirect
-	go.opentelemetry.io/otel v1.21.0 // indirect
-	go.opentelemetry.io/otel/metric v1.21.0 // indirect
-	go.opentelemetry.io/otel/trace v1.21.0 // indirect
+	go.opentelemetry.io/otel v1.22.0 // indirect
+	go.opentelemetry.io/otel/metric v1.22.0 // indirect
+	go.opentelemetry.io/otel/trace v1.22.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/crypto v0.18.0 // indirect
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
 	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/net v0.19.0 // indirect
-	golang.org/x/sync v0.5.0 // indirect
+	golang.org/x/net v0.20.0 // indirect
+	golang.org/x/sync v0.6.0 // indirect
 	golang.org/x/sys v0.16.0 // indirect
 	golang.org/x/term v0.16.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
-	google.golang.org/genproto v0.0.0-20231120223509-83a465c0220f // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f // indirect
+	google.golang.org/genproto v0.0.0-20240116215550-a9fa1716bcac // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240122161410-6c6643bf1457 // indirect
 	google.golang.org/protobuf v1.32.0 // indirect
 	gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/klog/v2 v2.100.1 // indirect
+	k8s.io/klog/v2 v2.120.0 // indirect
 )