Role | required # of signatures | Signers |
---|---|---|
root | 2 | @jku, @kommendorkapten, @joshuagl, @mnm678 |
timestamp | 1 | online key |
snapshot | 1 | online key |
targets | 1 | @jku, @kommendorkapten, @joshuagl, @mnm678 |
registry.npmjs.org | 1 | @jku |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
from getpass import getpass | |
from securesystemslib.signer import Signer | |
from tuf.api.metadata import Metadata, Key | |
JOSHUA_KEYID = "b78c9e4ff9048a1d9876a20f97fa1b3cb03223a0c520c7de730cfa9f5c7b77e5" | |
JKU_KEYID = "762cb22caca65de5e9b7b6baecb84ca989d337280ce6914b6440aea95769ad93" | |
os.environ["PYKCS11LIB"] = "/usr/lib/x86_64-linux-gnu/libykcs11.so" |
-
Support arbitrary target file storage locations
- this is needed eventually: we can't expect all repos to store target files in git
- requires signer and repo to agree on the target file storage location
- default can still be the "targets/" directory in git tree
-
Simple UI, "easy to review" target file content
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Test setup script for SoftHSM | |
# | |
# I run this with | |
# PYKCS11LIB=/usr/lib/softhsm/libsofthsm2.so SOFTHSM2_CONF=/home/jkukkonen/src/playground-e2e-signer/softhsm/softhsm2.conf python softhsm_setup.py | |
# | |
# The softhsm2.conf file contains | |
# directories.tokendir = /home/jkukkonen/src/playground-e2e-signer/softhsm/tokendir/ | |
from asn1crypto.keys import ECDomainParameters, NamedCurve | |
from PyKCS11 import PyKCS11, Session |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
KEY {'keytype': 'sigstore-oidc', 'scheme': 'Fulcio', 'keyval': {'issuer': 'https://token.actions.githubusercontent.com', 'identity': 'https://github.com/jku/token-test/.github/workflows/test-sign.yml@refs/heads/main'}} | |
SIG {'keyid': 'abcdef', 'sig': '30650231009541a940e97bb8327cb3ce2b8a498bfd7843b33539eb56c26c0e2feb1bf65e208f076ff07f149f9ecb80bd8761d29c3e02305b9423fa6108a5c777a5f6a59bf800c69821eb57fe30eb8a6a9a9658bfdcd5a8c45097256d1b5c087f2c93ea490258b5', 'bundle': {'mediaType': 'application/vnd.dev.sigstore.bundle+json;version=0.1', 'verificationMaterial': {'x509CertificateChain': {'certificates': [{'rawBytes': 'MIIDsjCCAzmgAwIBAgIUYaemdLlUvi2BuHuWiuq8c55QOFkwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwMzEwMTM0MTM1WhcNMjMwMzEwMTM1MTM1WjAAMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJVzfjIxDbzE/G02q8CsN5XlDXQFSJXnZGw6TeVdAtAm1JbL6pIEIx/y2fi2hudNVLN/X2HPejsCm8vqWiyMnk36/fn8pjtbaFvsCVuDJu5jk3gnH8XLsAn2Gb/N0/hyRo4ICOzCCAjcwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwM |
The state of repository-playground git-based repo is that it "technically" mostly works:
- apart from the signing event triggering (see below), the core big ticket features are there
- The promised useful output is not there yet -- this applies to both signing event GitHub issue comments and the signer tool itself
- Lot of the planned security improvements not there either
- Unsure if there are gaps for sigstore-like use case
- expecting there to be a bunch of bugs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
class Succinct: | |
def __init__(self, name_prefix: str, bin_bits: int): | |
self.name_prefix = name_prefix | |
# number of bins | |
bin_count = 2**bin_bits | |
# length of string prefix to get from targetpath hash |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
(venv) jku@luna:~$ pip index --index-url https://test.pypi.org/simple/ versions tuf | |
WARNING: pip index is currently an experimental command. It may be removed/changed in a future release without prior warning. | |
tuf (1.0.0) | |
Available versions: 1.0.0, 0.20.0, 0.19.0, 0.16.0, 0.9.9 | |
(venv) jku@luna:~$ pip install --index-url https://test.pypi.org/simple/ tuf | |
Looking in indexes: https://test.pypi.org/simple/ | |
Collecting tuf | |
Downloading https://test-files.pythonhosted.org/packages/47/ad/91f0b241c54bc8415c2b9102bdc778a78a10475a0602f84a7656d472aeb6/tuf-1.0.0-py3-none-any.whl (38 kB) |
This issue is closed as it was filed against (what is now known as) the legacy codebase: issue seems to not be relevant anymore. Please re-open or file a new issue if you feel that the issue is revelant to current python-tuf.
Current source code (and upcoming 1.0 release) only contains the modern components
- a low-level Metadata API (
tuf.api
) and tuf.ngclient
that implements the client workflow,
Legacy components (tuf.client
, tuf.repository_tool
, tuf.repository_lib
as well as the repo and client scripts) are no longer included. See announcement for more information and API reference for details about the current API.
NewerOlder