Skip to content

Instantly share code, notes, and snippets.

@asraa
Last active July 8, 2024 08:51
Show Gist options
  • Save asraa/947f1a38afd03af57c7b71d893c36af0 to your computer and use it in GitHub Desktop.
Save asraa/947f1a38afd03af57c7b71d893c36af0 to your computer and use it in GitHub Desktop.
setup-tuf.go
package main
import (
"encoding/json"
"flag"
"fmt"
"io"
"os"
"path/filepath"
"strings"
"github.com/theupdateframework/go-tuf"
)
/*
This script creates a TUF repository and adds targets from a specified target
directory. The target directory should contain all the targets necessary for
the TUF root, in names fulcio_v1.crt.pem, fulcio_intermediate_v1.crt.pem,
ctfe.pub, rekor.pub. If there is no intermediate fulcio, simply do not add
the target in the target directory.
Usage:
$ go run byo-tuf.go --targets targets --dir test
Repository initialized
Created target file at test/staged/targets/fulcio_v1.crt.pem
Created target file at test/staged/targets/fulcio_intermediate_v1.crt.pem
Created target file at test/staged/targets/ctfe.pub
Created target file at test/staged/targets/rekor.pub
Added/staged targets:
* fulcio_v1.crt.pem
* fulcio_intermediate_v1.crt.pem
* ctfe.pub
* rekor.pub
Staged snapshot.json metadata with expiration date: 2022-01-17 16:09:22 +0000 UTC
Staged timestamp.json metadata with expiration date: 2022-01-11 16:09:22 +0000 UTC
Committed successfully
*/
var targets = []string{
"fulcio_v1.crt.pem",
"fulcio_intermediate_v1.crt.pem",
"ctfe.pub",
"rekor.pub",
}
type customMetadata struct {
Usage string `json:"usage"`
Status string `json:"status"`
}
type sigstoreCustomMetadata struct {
Sigstore customMetadata `json:"sigstore"`
}
func main() {
// Get flag for targets directory.
var targetDir = flag.String("targets", "", "directory containing targets")
// Get flag for repository directory
var dir = flag.String("dir", "", "directory to write repository")
flag.Parse()
if *dir == "" || *targetDir == "" {
panic(flag.ErrHelp)
}
// Initialize a filesystem store in the temp directory.
store := tuf.FileSystemStore(*dir, nil)
r, err := tuf.NewRepoIndent(store, "", " ")
if err != nil {
panic(err)
}
// Initialize a TUF repository.
err = r.Init(false)
if err != nil {
panic(err)
}
// Generate target, snapshot, and timestamp roles and keys.
roles := []string{
"root", "snapshot", "timestamp", "targets",
}
for _, role := range roles {
_, err = r.GenKey(role)
if err != nil {
panic(err)
}
}
// Copy the targets to the targets folder of the staged repository.
for _, target := range targets {
from, err := os.Open(filepath.Join(*targetDir, target))
if err != nil {
// Skip non-existent targets, e.g. ctfe.pub
continue
}
defer from.Close()
base := filepath.Base(target)
to, err := os.OpenFile(filepath.Join(*dir, "staged/targets", base), os.O_RDWR|os.O_CREATE, 0666)
if err != nil {
panic(err)
}
defer to.Close()
if _, err := io.Copy(to, from); err != nil {
panic(err)
}
fmt.Fprintln(os.Stderr, "Created target file at ", to.Name())
usage := ""
if strings.Contains(target, "fulcio") {
usage = "Fulcio"
} else if strings.Contains(target, "ctfe") {
usage = "CTFE"
} else if strings.Contains(target, "rekor") {
usage = "Rekor"
} else {
panic("Unknown target, can't set usage")
}
scmActive, err := json.Marshal(&sigstoreCustomMetadata{Sigstore: customMetadata{Usage: usage, Status: "Active"}})
if err != nil {
panic(err)
}
// Add target and sign metadata with the targets key.
err = r.AddTarget(base, scmActive)
if err != nil {
panic(err)
}
}
// Create a snapshot of the targets metadata.
err = r.Snapshot()
if err != nil {
panic(err)
}
// Create a timestamp of the snapshot.
err = r.Timestamp()
if err != nil {
panic(err)
}
// Publish all TUF metadata, moving from staging to the final repository.
err = r.Commit()
if err != nil {
panic(err)
}
}
module byo-tuf
go 1.17
require github.com/theupdateframework/go-tuf v0.0.0-20220107163458-5573c9c8694d
require (
github.com/secure-systems-lab/go-securesystemslib v0.3.0 // indirect
golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871 // indirect
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
)
github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
github.com/flynn/go-docopt v0.0.0-20140912013429-f6dd2ebbb31e/go.mod h1:HyVoz1Mz5Co8TFO8EupIdlcpwShBmY98dkT2xeHkvEI=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/secure-systems-lab/go-securesystemslib v0.3.0 h1:PH0mUKuUSXVEVDbrKMgGPcrqrnKA8gJii614+EKKi7g=
github.com/secure-systems-lab/go-securesystemslib v0.3.0/go.mod h1:o8hhjkbNl2gOamKUA/eNW3xUrntHT9L4W89W1nfj43U=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
github.com/theupdateframework/go-tuf v0.0.0-20220107163458-5573c9c8694d h1:wVP+vC+Q4vYBQWuMOwjcGoRj0RBVX0VSlW2bGX0Qx3s=
github.com/theupdateframework/go-tuf v0.0.0-20220107163458-5573c9c8694d/go.mod h1:I0Gs4Tev4hYQ5wiNqN8VJ7qS0gw7KOZNQuckC624RmE=
golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871 h1:/pEO3GD/ABYAjuakUS6xSEmmlyVS4kxBNkeA9tLJiTI=
golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment