fix: fix fetching updated targets from TUF root (#1921)

* fix: fix fetching updated targets from TUF root Signed-off-by: Asra Ali <asraa@google.com> add comment Signed-off-by: Asra Ali <asraa@google.com> update Signed-off-by: Asra Ali <asraa@google.com> update Signed-off-by: Asra Ali <asraa@google.com> possible fix windows Signed-off-by: Asra Ali <asraa@google.com> lint Signed-off-by: Asra Ali <asraa@google.com> fix windows maybe Signed-off-by: Asra Ali <asraa@google.com> fix close Signed-off-by: Asra Ali <asraa@google.com> * update zack comments Signed-off-by: Asra Ali <asraa@google.com> update fix Signed-off-by: Asra Ali <asraa@google.com> update and add some debug Signed-off-by: Asra Ali <asraa@google.com> add debug Signed-off-by: Asra Ali <asraa@google.com> no cache Signed-off-by: Asra Ali <asraa@google.com> remove debug Signed-off-by: Asra Ali <asraa@google.com> * try haydens comments Signed-off-by: Asra Ali <asraa@google.com> * Use Rekor API for pubkeys before TUF if so specified. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Address PR feedback, bump golangci-lint from 1.46.0 to 1.46.2 Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Add comments for the env variables. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Use path instead of filepath, basically revert to what it was before. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * ho hum, really just use the path. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * When interacting with fs do not use OS specific separators. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * fix windows line endings Signed-off-by: Asra Ali <asraa@google.com> * pass embedded into initialization Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: Ville Aikas <vaikas@chainguard.dev>
sigstore · May 31, 2022 · 072fba8 · 072fba8
1 parent f98e31e
commit 072fba8
Show file tree

Hide file tree

Showing 12 changed files with 343 additions and 683 deletions.
diff --git a/Makefile b/Makefile
@@ -118,7 +118,7 @@ cross:
 golangci-lint:
 	rm -f $(GOLANGCI_LINT_BIN) || :
 	set -e ;\
-	GOBIN=$(GOLANGCI_LINT_DIR) go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.43.0 ;\
+	GOBIN=$(GOLANGCI_LINT_DIR) go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.46.2 ;\
 
 lint: golangci-lint ## Run golangci-lint linter
 	$(GOLANGCI_LINT_BIN) run -n

diff --git a/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go b/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go
@@ -121,7 +121,7 @@ func initRoots() (*x509.CertPool, *x509.CertPool, error) {
 		// call is made to update the root.
 		targets, err := tufClient.GetTargetsByMeta(tuf.Fulcio, []string{fulcioTargetStr, fulcioV1TargetStr})
 		if err != nil {
-			return nil, nil, errors.New("error getting targets")
+			return nil, nil, fmt.Errorf("error getting targets: %w", err)
 		}
 		if len(targets) == 0 {
 			return nil, nil, errors.New("none of the Fulcio roots have been found")

diff --git a/pkg/cosign/tlog.go b/pkg/cosign/tlog.go
@@ -77,18 +77,13 @@ func getLogID(pub crypto.PublicKey) (string, error) {
 
 // GetRekorPubs retrieves trusted Rekor public keys from the embedded or cached
 // TUF root. If expired, makes a network call to retrieve the updated targets.
+// There is an Env variable that can be used to override this behaviour:
+// SIGSTORE_REKOR_PUBLIC_KEY - If specified, location of the file that contains
+// the Rekor Public Key on local filesystem
 func GetRekorPubs(ctx context.Context) (map[string]RekorPubKey, error) {
-	tufClient, err := tuf.NewFromEnv(ctx)
-	if err != nil {
-		return nil, err
-	}
-	defer tufClient.Close()
-	targets, err := tufClient.GetTargetsByMeta(tuf.Rekor, []string{rekorTargetStr})
-	if err != nil {
-		return nil, err
-	}
 	publicKeys := make(map[string]RekorPubKey)
 	altRekorPub := os.Getenv(altRekorPublicKey)
+
 	if altRekorPub != "" {
 		fmt.Fprintf(os.Stderr, "**Warning** Using a non-standard public key for Rekor: %s\n", altRekorPub)
 		raw, err := os.ReadFile(altRekorPub)
@@ -105,6 +100,15 @@ func GetRekorPubs(ctx context.Context) (map[string]RekorPubKey, error) {
 		}
 		publicKeys[keyID] = RekorPubKey{PubKey: extra, Status: tuf.Active}
 	} else {
+		tufClient, err := tuf.NewFromEnv(ctx)
+		if err != nil {
+			return nil, err
+		}
+		defer tufClient.Close()
+		targets, err := tufClient.GetTargetsByMeta(tuf.Rekor, []string{rekorTargetStr})
+		if err != nil {
+			return nil, err
+		}
 		for _, t := range targets {
 			rekorPubKey, err := PemToECDSAKey(t.Target)
 			if err != nil {
@@ -326,6 +330,9 @@ func FindTLogEntriesByPayload(ctx context.Context, rekorClient *client.Rekor, pa
 	return searchIndex.GetPayload(), nil
 }
 
+// VerityTLogEntry verifies a TLog entry. If the Env variable
+// SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY is specified, fetches the Rekor public
+// key from the Rekor server using the provided rekorClient.
 func VerifyTLogEntry(ctx context.Context, rekorClient *client.Rekor, e *models.LogEntryAnon) error {
 	if e.Verification == nil || e.Verification.InclusionProof == nil {
 		return errors.New("inclusion proof not provided")
@@ -358,11 +365,9 @@ func VerifyTLogEntry(ctx context.Context, rekorClient *client.Rekor, e *models.L
 		LogID:          *e.LogID,
 	}
 
-	rekorPubKeys, err := GetRekorPubs(ctx)
-	if err != nil {
-		return fmt.Errorf("unable to fetch Rekor public keys from TUF repository: %w", err)
-	}
-
+	// If we've been told to fetch the Public Key from Rekor, fetch it here
+	// first before using the TUF code below.
+	rekorPubKeys := make(map[string]RekorPubKey)
 	addRekorPublic := os.Getenv(addRekorPublicKeyFromRekor)
 	if addRekorPublic != "" {
 		pubOK, err := rekorClient.Pubkey.GetPublicKey(nil)
@@ -380,6 +385,17 @@ func VerifyTLogEntry(ctx context.Context, rekorClient *client.Rekor, e *models.L
 		rekorPubKeys[keyID] = RekorPubKey{PubKey: pubFromAPI, Status: tuf.Active}
 	}
 
+	rekorPubKeysTuf, err := GetRekorPubs(ctx)
+	if err != nil {
+		if len(rekorPubKeys) == 0 {
+			return fmt.Errorf("unable to fetch Rekor public keys from TUF repository, and not trusting the Rekor API for fetching public keys: %w", err)
+		}
+		fmt.Fprintf(os.Stderr, "**Warning** Failed to fetch Rekor public keys from TUF, using the public key from Rekor API because %s was specified", addRekorPublicKeyFromRekor)
+	}
+
+	for k, v := range rekorPubKeysTuf {
+		rekorPubKeys[k] = v
+	}
 	pubKey, ok := rekorPubKeys[payload.LogID]
 	if !ok {
 		return errors.New("rekor log public key not found for payload")