Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
cosign -> sigstore diff for https://github.com/sigstore/sigstore/pull/435
diff ../cosign/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go pkg/fulcioroots/fulcioroots.go
2c2
< // Copyright 2021 The Sigstore Authors.
---
> // Copyright 2022 The Sigstore Authors.
24d23
< "os"
27d25
< "github.com/sigstore/cosign/pkg/cosign/tuf"
28a27
> "github.com/sigstore/sigstore/pkg/tuf"
61,64c60
< const (
< altRoot = "SIGSTORE_ROOT_FILE"
< )
<
---
> // Get returns the Fulcio root certificates.
74a71
> // GetIntermediates returns the Fulcio intermediate certificates.
86,95c83,99
< var rootPool *x509.CertPool
< var intermediatePool *x509.CertPool
<
< rootEnv := os.Getenv(altRoot)
< if rootEnv != "" {
< raw, err := os.ReadFile(rootEnv)
< if err != nil {
< return nil, nil, fmt.Errorf("error reading root PEM file: %w", err)
< }
< certs, err := cryptoutils.UnmarshalCertificatesFromPEM(raw)
---
> tufClient, err := tuf.NewFromEnv(context.Background())
> if err != nil {
> return nil, nil, fmt.Errorf("initializing tuf: %w", err)
> }
> // Retrieve from the embedded or cached TUF root. If expired, a network
> // call is made to update the root.
> targets, err := tufClient.GetTargetsByMeta(tuf.Fulcio, []string{fulcioTargetStr, fulcioV1TargetStr})
> if err != nil {
> return nil, nil, fmt.Errorf("error getting targets: %w", err)
> }
> if len(targets) == 0 {
> return nil, nil, errors.New("none of the Fulcio roots have been found")
> }
> rootPool := x509.NewCertPool()
> intermediatePool := x509.NewCertPool()
> for _, t := range targets {
> certs, err := cryptoutils.UnmarshalCertificatesFromPEM(t.Target)
102,104d105
< if rootPool == nil {
< rootPool = x509.NewCertPool()
< }
107,109d107
< if intermediatePool == nil {
< intermediatePool = x509.NewCertPool()
< }
113,150d110
< } else {
< tufClient, err := tuf.NewFromEnv(context.Background())
< if err != nil {
< return nil, nil, fmt.Errorf("initializing tuf: %w", err)
< }
< // Retrieve from the embedded or cached TUF root. If expired, a network
< // call is made to update the root.
< targets, err := tufClient.GetTargetsByMeta(tuf.Fulcio, []string{fulcioTargetStr, fulcioV1TargetStr})
< if err != nil {
< return nil, nil, fmt.Errorf("error getting targets: %w", err)
< }
< if len(targets) == 0 {
< return nil, nil, errors.New("none of the Fulcio roots have been found")
< }
< for _, t := range targets {
< certs, err := cryptoutils.UnmarshalCertificatesFromPEM(t.Target)
< if err != nil {
< return nil, nil, fmt.Errorf("error unmarshalling certificates: %w", err)
< }
< for _, cert := range certs {
< // root certificates are self-signed
< if bytes.Equal(cert.RawSubject, cert.RawIssuer) {
< if rootPool == nil {
< rootPool = x509.NewCertPool()
< }
< rootPool.AddCert(cert)
< } else {
< if intermediatePool == nil {
< intermediatePool = x509.NewCertPool()
< }
< intermediatePool.AddCert(cert)
< }
< }
< }
< if intermediatePool == nil {
< intermediatePool = x509.NewCertPool()
< }
< intermediatePool.AppendCertsFromPEM([]byte(fulcioIntermediateV1))
151a112
> intermediatePool.AppendCertsFromPEM([]byte(fulcioIntermediateV1))
Only in ../cosign/cmd/cosign/cli/fulcio/fulcioroots/: fulcioroots_test.go
diff ../cosign/pkg/cosign/tuf/client.go pkg/tuf/client.go
2c2
< // Copyright 2021 The Sigstore Authors.
---
> // Copyright 2022 The Sigstore Authors.
44a45
> // DefaultRemoteRoot is the default remote TUF root location.
46,47c47,52
< TufRootEnv = "TUF_ROOT"
< SigstoreNoCache = "SIGSTORE_NO_CACHE"
---
>
> // TufRootEnv is the name of the environment variable that locates an alternate local TUF root location.
> TufRootEnv = "TUF_ROOT"
>
> // SigstoreNoCache is the name of the environment variable that, if set, configures this code to only store root data in memory.
> SigstoreNoCache = "SIGSTORE_NO_CACHE"
58,60c63,64
< var GetRemoteRoot = func() string {
< return DefaultRemoteRoot
< }
---
> // getRemoteRoot is a var for testing.
> var getRemoteRoot = func() string { return DefaultRemoteRoot }
301c305
< mirror := GetRemoteRoot()
---
> mirror := getRemoteRoot()
diff ../cosign/pkg/cosign/tuf/client_test.go pkg/tuf/client_test.go
2c2
< // Copyright 2021 The Sigstore Authors.
---
> // Copyright 2022 The Sigstore Authors.
368c368
< origDefaultRemote := GetRemoteRoot
---
> origDefaultRemote := getRemoteRoot
386c386
< GetRemoteRoot = origDefaultRemote
---
> getRemoteRoot = origDefaultRemote
404c404
< GetRemoteRoot = func() string { return s.URL }
---
> getRemoteRoot = func() string { return s.URL }
diff ../cosign/pkg/cosign/tuf/policy.go pkg/tuf/policy.go
2c2
< // Copyright 2021 The Sigstore Authors.
---
> // Copyright 2022 The Sigstore Authors.
80,84d79
< func DefaultExpires(role string) time.Time {
< // Default expires in 3 months
< return time.Now().AddDate(0, 3, 0).UTC().Round(time.Second)
< }
<
90c85
< Expires: DefaultExpires("root"),
---
> Expires: time.Now().AddDate(0, 3, 0).UTC().Round(time.Second), // Default expires in 3 months
140c135
< fulcioKeyVal, err := GetFulcioKeyVal(key)
---
> fulcioKeyVal, err := getFulcioKeyVal(key)
147c142
< fulcioRootKeyVal, err := GetFulcioKeyVal(rootKey)
---
> fulcioRootKeyVal, err := getFulcioKeyVal(rootKey)
diff ../cosign/pkg/cosign/tuf/policy_test.go pkg/tuf/policy_test.go
2c2
< // Copyright 2021 The Sigstore Authors.
---
> // Copyright 2022 The Sigstore Authors.
Common subdirectories: ../cosign/pkg/cosign/tuf/repository and pkg/tuf/repository
diff ../cosign/pkg/cosign/tuf/signer.go pkg/tuf/signer.go
2c2
< // Copyright 2021 The Sigstore Authors.
---
> // Copyright 2022 The Sigstore Authors.
23,24c23,24
< KeyTypeFulcio = "sigstore-oidc"
< KeySchemeFulcio = "https://fulcio.sigstore.dev"
---
> keyTypeFulcio = "sigstore-oidc"
> keySchemeFulcio = "https://fulcio.sigstore.dev"
28c28
< KeyAlgorithms = []string{"sha256", "sha512"}
---
> keyAlgorithms = []string{"sha256", "sha512"}
31c31
< type FulcioKeyVal struct {
---
> type fulcioKeyVal struct {
37c37
< keyValBytes, _ := json.Marshal(FulcioKeyVal{Identity: email, Issuer: issuer})
---
> keyValBytes, _ := json.Marshal(fulcioKeyVal{Identity: email, Issuer: issuer})
39,41c39,41
< Type: KeyTypeFulcio,
< Scheme: KeySchemeFulcio,
< Algorithms: KeyAlgorithms,
---
> Type: keyTypeFulcio,
> Scheme: keySchemeFulcio,
> Algorithms: keyAlgorithms,
46,47c46,47
< func GetFulcioKeyVal(key *Key) (*FulcioKeyVal, error) {
< fulcioKeyVal := &FulcioKeyVal{}
---
> func getFulcioKeyVal(key *Key) (*fulcioKeyVal, error) {
> fulcioKeyVal := &fulcioKeyVal{}
diff ../cosign/pkg/cosign/tuf/testutils.go pkg/tuf/testutils.go
2c2
< // Copyright 2021 The Sigstore Authors.
---
> // Copyright 2022 The Sigstore Authors.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment