Commits on Sep 20, 2024

1. Upgrade to TUF v2 client …

   Swap the use of the go-tuf v0.7.0 client from sigstore/sigstore to the
   v2.0.0 client from sigstore/sigstore-go.
   
   This change strictly adds logic to attempt to use the sigstore-go TUF
   client if possible, and falls back to the old TUF client. The new client
   can only fetch targets by name, not by custom metadata. This means that,
   on its own, the new client cannot support renaming/rotating keys, so the
   old client must be used to support that case. A future change will add
   support for fetching or reading a trusted_root.json file, which has
   better support for rotating keys. Once this later change is introduced, using
   the old client can be deprecated.
   
   The logic in this change works as follows:
   
   - if a path fo a key is provided by a SIGSTORE_ environment variable,
     read that file and use it (same as previously)
   - if new environment variables TUF_MIRROR and TUF_ROOT_JSON are set, use
     those to instantiate a TUF client that fetches keys from the given
     mirror
   - else, try reading the mirror URL from remote.json, which set set by
     `cosign initialize`, and try reading the root.json from the mirror's
     cache directory which may have been created by a previous TUF v2 run
   - if fetching keys using the new client with the given mirror did not
     work, fallback to the v1 client
   
   Also not that the use of the "status" field in the custom TUF metadata
   is removed, as it was only used for human-readable feedback.
   
   TODO:
   - e2e tests
   
   Signed-off-by: Colleen Murphy <[email protected]>

   

   cmurphy committed Sep 20, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 84e4712
   • Browse repository at this point

   Copy the full SHA

   84e4712 View commit details

   Browse the repository at this point in the history