From 81a86c3c4b79545d0a009ebb4d4ec77a8c1b76e8 Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Fri, 27 May 2022 15:37:19 -0500 Subject: [PATCH] try haydens comments Signed-off-by: Asra Ali --- pkg/cosign/tuf/client.go | 380 ++++++----------------- pkg/cosign/tuf/client_test.go | 37 ++- pkg/cosign/tuf/repository/1.root.json | 130 -------- pkg/cosign/tuf/repository/2.root.json | 144 --------- pkg/cosign/tuf/repository/rekor.json | 23 -- pkg/cosign/tuf/repository/snapshot.json | 48 --- pkg/cosign/tuf/repository/staging.json | 15 - pkg/cosign/tuf/repository/targets.json | 117 ------- pkg/cosign/tuf/repository/timestamp.json | 24 -- 9 files changed, 120 insertions(+), 798 deletions(-) delete mode 100644 pkg/cosign/tuf/repository/1.root.json delete mode 100644 pkg/cosign/tuf/repository/2.root.json delete mode 100644 pkg/cosign/tuf/repository/rekor.json delete mode 100644 pkg/cosign/tuf/repository/snapshot.json delete mode 100644 pkg/cosign/tuf/repository/staging.json delete mode 100644 pkg/cosign/tuf/repository/targets.json delete mode 100644 pkg/cosign/tuf/repository/timestamp.json diff --git a/pkg/cosign/tuf/client.go b/pkg/cosign/tuf/client.go index 1d2ac38efc5..66d16df6bdf 100644 --- a/pkg/cosign/tuf/client.go +++ b/pkg/cosign/tuf/client.go @@ -27,13 +27,12 @@ import ( "io/ioutil" "net/url" "os" + "path" "path/filepath" - "runtime" "strconv" "strings" "time" - "github.com/secure-systems-lab/go-securesystemslib/cjson" "github.com/theupdateframework/go-tuf/client" tuf_leveldbstore "github.com/theupdateframework/go-tuf/client/leveldbstore" "github.com/theupdateframework/go-tuf/data" @@ -46,6 +45,11 @@ const ( SigstoreNoCache = "SIGSTORE_NO_CACHE" ) +// Global in-memory targets to avoid re-downloading when there is no local cache. +// TODO: Consider using this map even when local caching to avoid reading from disk +// multiple times (e.g. when there are multiple signatures to verify in a single call). +var memoryTargets = map[string][]byte{} + var GetRemoteRoot = func() string { return DefaultRemoteRoot } @@ -55,7 +59,7 @@ type TUF struct { targets targetImpl local client.LocalStore remote client.RemoteStore - embedded bool // local embedded or cache + embedded fs.FS mirror string // location of mirror } @@ -94,10 +98,6 @@ type signedMeta struct { Version int64 `json:"version"` } -var ( - errEmbeddedMetadataNeedsUpdate = fmt.Errorf("new metadata requires an unsupported write operation") -) - // RemoteCache contains information to cache on the location of the remote // repository. type remoteCache struct { @@ -152,23 +152,10 @@ func getMetadataStatus(b []byte) (*MetadataStatus, error) { }, nil } -func isMetaEqual(x json.RawMessage, y json.RawMessage) (bool, error) { - stored, err := cjson.EncodeCanonical(x) - if err != nil { - return false, err - } - toSet, err := cjson.EncodeCanonical(y) - if err != nil { - return false, err - } - cmp := bytes.EqualFold(stored, toSet) - return cmp, nil -} - func (t *TUF) getRootStatus() (*RootStatus, error) { - local := "embedded" - if !t.embedded { - local = rootCacheDir() + local := rootCacheDir() + if noCache() { + local = "in-memory" } status := &RootStatus{ Local: local, @@ -203,13 +190,13 @@ func (t *TUF) getRootStatus() (*RootStatus, error) { return status, nil } -func getRoot(meta map[string]json.RawMessage, ed fs.FS) (json.RawMessage, error) { +func getRoot(meta map[string]json.RawMessage, fallback fs.FS) (json.RawMessage, error) { trustedRoot, ok := meta["root.json"] if ok { return trustedRoot, nil } // On first initialize, there will be no root in the TUF DB, so read from embedded. - rd, ok := ed.(fs.ReadFileFS) + rd, ok := fallback.(fs.ReadFileFS) if !ok { return nil, errors.New("fs.ReadFileFS unimplemented for embedded repo") } @@ -243,25 +230,17 @@ func (t *TUF) Close() error { // defaults to the embedded root.json. // * forceUpdate: indicates checking the remote for an update, even when the local // timestamp.json is up to date. -func initializeTUF(ctx context.Context, embed bool, mirror string, root []byte, forceUpdate bool) (*TUF, error) { +func initializeTUF(ctx context.Context, mirror string, root []byte, forceUpdate bool) (*TUF, error) { t := &TUF{ mirror: mirror, - embedded: embed, + embedded: GetEmbedded(), } t.targets = newFileImpl() - // Lazily init the local store in case we start with an embedded. - var initLocal = newLocalStore var err error - embeddedRepo := GetEmbedded() - if t.embedded { - t.targets = wrapEmbedded(embeddedRepo, t.targets) - t.local = wrapEmbeddedLocal(embeddedRepo, initLocal) - } else { - t.local, err = initLocal() - if err != nil { - return nil, err - } + t.local, err = newLocalStore() + if err != nil { + return nil, err } t.remote, err = remoteFromMirror(ctx, t.mirror) @@ -278,8 +257,10 @@ func initializeTUF(ctx context.Context, embed bool, mirror string, root []byte, return nil, fmt.Errorf("getting trusted meta: %w", err) } + // If the caller does not supply a root, then either use the root in the local store + // or default to the embedded one. if root == nil { - root, err = getRoot(trustedMeta, embeddedRepo) + root, err = getRoot(trustedMeta, t.embedded) if err != nil { t.Close() return nil, fmt.Errorf("getting trusted root: %w", err) @@ -291,14 +272,13 @@ func initializeTUF(ctx context.Context, embed bool, mirror string, root []byte, return nil, fmt.Errorf("unable to initialize client, local cache may be corrupt: %w", err) } - // We have our local store, whether it was embedded or not! - // Now check to see if it needs to be updated. + // We may already have an up-to-date local store! Check to see if it needs to be updated. trustedTimestamp, ok := trustedMeta["timestamp.json"] if ok && !isExpiredTimestamp(trustedTimestamp) && !forceUpdate { return t, nil } - // Update when timestamp is out of date. + // Update if local is not populated or out of date. if err := t.updateMetadataAndDownloadTargets(); err != nil { t.Close() return nil, fmt.Errorf("updating local metadata and targets: %w", err) @@ -308,24 +288,6 @@ func initializeTUF(ctx context.Context, embed bool, mirror string, root []byte, } func NewFromEnv(ctx context.Context) (*TUF, error) { - // Get local and mirror from env - tufDB := filepath.FromSlash(filepath.Join(rootCacheDir(), "tuf.db")) - var embed bool - - // Check for the current local. - _, statErr := os.Stat(tufDB) - switch { - case os.IsNotExist(statErr): - // There is no root at the location, use embedded. - embed = true - case statErr != nil: - // Some other error, bail - return nil, statErr - default: - // There is a local root! Happy path. - embed = false - } - // Check for the current remote mirror. mirror := GetRemoteRoot() b, err := os.ReadFile(cachedRemote(rootCacheDir())) @@ -337,27 +299,41 @@ func NewFromEnv(ctx context.Context) (*TUF, error) { } // Initializes a new TUF object from the local cache or defaults. - return initializeTUF(ctx, embed, mirror, nil, false) + return initializeTUF(ctx, mirror, nil, false) } func Initialize(ctx context.Context, mirror string, root []byte) error { // Initialize the client. Force an update. - t, err := initializeTUF(ctx, false, mirror, root, true) + t, err := initializeTUF(ctx, mirror, root, true) if err != nil { return err } t.Close() - // Store the remote for later. - remoteInfo := &remoteCache{Mirror: mirror} - b, err := json.Marshal(remoteInfo) + // Store the remote for later if we are caching. + if !noCache() { + remoteInfo := &remoteCache{Mirror: mirror} + b, err := json.Marshal(remoteInfo) + if err != nil { + return err + } + if err := os.WriteFile(cachedRemote(rootCacheDir()), b, 0600); err != nil { + return fmt.Errorf("storing remote: %w", err) + } + } + return nil +} + +// Checks if the testTarget matches the valid target file metadata. +func isValidTarget(testTarget []byte, validMeta data.TargetFileMeta) bool { + localMeta, err := util.GenerateTargetFileMeta(bytes.NewReader(testTarget)) if err != nil { - return err + return false } - if err := os.WriteFile(cachedRemote(rootCacheDir()), b, 0600); err != nil { - return fmt.Errorf("storing remote: %w", err) + if err := util.TargetFileMetaEqual(localMeta, validMeta); err != nil { + return false } - return nil + return true } func (t *TUF) GetTarget(name string) ([]byte, error) { @@ -371,12 +347,8 @@ func (t *TUF) GetTarget(name string) ([]byte, error) { return nil, err } - localMeta, err := util.GenerateTargetFileMeta(bytes.NewReader(targetBytes)) - if err != nil { - return nil, err - } - if err := util.TargetFileMetaEqual(localMeta, validMeta); err != nil { - return nil, err + if !isValidTarget(targetBytes, validMeta) { + return nil, fmt.Errorf("cache contains invalid target; local cache may be corrupt") } return targetBytes, nil @@ -463,14 +435,10 @@ func (t *TUF) updateMetadataAndDownloadTargets() error { return fmt.Errorf("error updating to TUF remote mirror: %w\nremote status:%s", err, string(b)) } - // Download newly updated targets. + // Download **newly** updated targets. // TODO: Consider lazily downloading these -- be careful with embedded targets if so. - for name := range targetFiles { - buf := bytes.Buffer{} - if err := downloadRemoteTarget(name, t.client, &buf); err != nil { - return err - } - if err := t.targets.Set(name, buf.Bytes()); err != nil { + for name, targetMeta := range targetFiles { + if err := maybeDownloadRemoteTarget(name, targetMeta, t); err != nil { return err } } @@ -479,7 +447,7 @@ func (t *TUF) updateMetadataAndDownloadTargets() error { } type targetDestination struct { - buf bytes.Buffer + buf *bytes.Buffer } func (t *targetDestination) Write(b []byte) (int, error) { @@ -487,17 +455,47 @@ func (t *targetDestination) Write(b []byte) (int, error) { } func (t *targetDestination) Delete() error { - t.buf = bytes.Buffer{} + t.buf = &bytes.Buffer{} return nil } -func downloadRemoteTarget(name string, c *client.Client, w io.Writer) error { - dest := targetDestination{} - if err := c.Download(name, &dest); err != nil { - return fmt.Errorf("downloading target: %w", err) +func maybeDownloadRemoteTarget(name string, meta data.TargetFileMeta, t *TUF) error { + // If we already have the target locally, don't bother downloading from remote storage. + if cachedTarget, err := t.targets.Get(name); err == nil { + // If the target we have stored matches the meta, use that. + if isValidTarget(cachedTarget, meta) { + return nil + } + } + + // Check if we already have the target in the embedded store. + w := bytes.Buffer{} + rd, ok := t.embedded.(fs.ReadFileFS) + if !ok { + return errors.New("fs.ReadFileFS unimplemented for embedded repo") + } + b, err := rd.ReadFile(path.Join("repository", "targets", name)) + if err == nil { + if isValidTarget(b, meta) { + if _, err := io.Copy(&w, bytes.NewReader(b)); err != nil { + return fmt.Errorf("using embedded target: %w", err) + } + } + } + + // Nope -- no local matching target, go download it. + if w.Len() == 0 { + dest := targetDestination{buf: &w} + if err := t.client.Download(name, &dest); err != nil { + return fmt.Errorf("downloading target: %w", err) + } } - _, err := io.Copy(w, &dest.buf) - return err + + // Set the target in the cache. + if err := t.targets.Set(name, w.Bytes()); err != nil { + return err + } + return nil } func rootCacheDir() string { @@ -533,137 +531,13 @@ func newLocalStore() (client.LocalStore, error) { return local, nil } -type localStoreInit func() (client.LocalStore, error) +//go:embed repository +var embeddedRootRepo embed.FS var GetEmbedded = func() fs.FS { return embeddedRootRepo } -// A read-only local store using embedded metadata -type embeddedLocalStore struct { - ed fs.FS -} - -func (e embeddedLocalStore) GetMeta() (map[string]json.RawMessage, error) { - meta := make(map[string]json.RawMessage) - ed, ok := e.ed.(fs.ReadDirFS) - if !ok { - return nil, errors.New("fs.ReadDirFS unimplemented for embedded repo") - } - entries, err := ed.ReadDir("repository") - if err != nil { - return nil, err - } - rd, ok := e.ed.(fs.ReadFileFS) - if !ok { - return nil, errors.New("fs.ReadFileFS unimplemented for embedded repo") - } - for _, entry := range entries { - if !entry.Type().IsRegular() { - // Skip the target directory or other strange files. - continue - } - b, err := rd.ReadFile(filepath.FromSlash(filepath.Join("repository", entry.Name()))) - if err != nil { - return nil, fmt.Errorf("reading embedded file: %w", err) - } - meta[entry.Name()] = b - } - return meta, err -} - -func (e *embeddedLocalStore) SetMeta(name string, meta json.RawMessage) error { - // Return no error if no real "write" is required: the meta matches the embedded content. - embeddedMeta, err := e.GetMeta() - if err != nil { - return err - } - metaContent, ok := embeddedMeta[name] - if !ok { - return errEmbeddedMetadataNeedsUpdate - } - equal, err := isMetaEqual(metaContent, meta) - if err != nil { - return fmt.Errorf("error comparing metadata: %w", err) - } - if equal { - return nil - } - return errEmbeddedMetadataNeedsUpdate -} - -func (e embeddedLocalStore) DeleteMeta(name string) error { - return errors.New("attempting to delete embedded metadata") -} - -func (e embeddedLocalStore) Close() error { - return nil -} - -type wrappedEmbeddedLocalStore struct { - // The read-only embedded local store. - embedded client.LocalStore - // Initially nil, initialized with makeWriteableStore once a write operation is needed. - writeable client.LocalStore - makeWriteableStore localStoreInit -} - -func wrapEmbeddedLocal(ed fs.FS, s localStoreInit) client.LocalStore { - return &wrappedEmbeddedLocalStore{embedded: &embeddedLocalStore{ed: ed}, makeWriteableStore: s, writeable: nil} -} - -func (e wrappedEmbeddedLocalStore) GetMeta() (map[string]json.RawMessage, error) { - if e.writeable != nil { - // We are using a writeable store, so use that. - return e.writeable.GetMeta() - } - // We haven't needed to create or write new metadata, so get the embedded metadata. - return e.embedded.GetMeta() -} - -func (e *wrappedEmbeddedLocalStore) SetMeta(name string, meta json.RawMessage) error { - if e.writeable == nil { - // Check if we the set operation "succeeds" for the read-only embedded store. - // This only succeeds if the metadata matches the embedded (i.e. no-op). - if err := e.embedded.SetMeta(name, meta); err == nil || !errors.Is(err, errEmbeddedMetadataNeedsUpdate) { - return err - } - // We haven't needed an update yet, so create and populate the writeable store! - meta, err := e.GetMeta() - if err != nil { - return fmt.Errorf("error retrieving embedded repo: %w", err) - } - e.writeable, err = e.makeWriteableStore() - if err != nil { - return fmt.Errorf("initializing local: %w", err) - } - for m, md := range meta { - if err := e.writeable.SetMeta(m, md); err != nil { - return fmt.Errorf("error transferring to cached repo: %w", err) - } - } - } - // We have a writeable store, so set the metadata. - return e.writeable.SetMeta(name, meta) -} - -func (e wrappedEmbeddedLocalStore) DeleteMeta(name string) error { - if e.writeable != nil { - return e.writeable.DeleteMeta(name) - } - return e.embedded.DeleteMeta(name) -} - -func (e wrappedEmbeddedLocalStore) Close() error { - if e.writeable != nil { - return e.writeable.Close() - } - return e.embedded.Close() -} - -//go:embed repository -var embeddedRootRepo embed.FS - // Target Implementations type targetImpl interface { Set(string, []byte) error @@ -672,82 +546,11 @@ type targetImpl interface { func newFileImpl() targetImpl { if noCache() { - return &memoryCache{} + return &memoryCache{targets: memoryTargets} } return &diskCache{base: cachedTargetsDir(rootCacheDir())} } -func wrapEmbedded(ed fs.FS, t targetImpl) targetImpl { - return &embeddedWrapper{embeddedRepo: ed, writeable: t, modified: false} -} - -type embeddedWrapper struct { - embeddedRepo fs.FS - // If we have an embedded fallback that needs updates, use - // the writeable targetImpl - writeable targetImpl - // Whether we modified targets and need to fetch from the writeable target store. - modified bool -} - -func (e *embeddedWrapper) Get(p string) ([]byte, error) { - if e.modified { - // Get it from the writeable target store since there's been updates. - b, err := e.writeable.Get(p) - if err == nil { - return b, nil - } - fmt.Fprintf(os.Stderr, "**Warning** Updated target not found; falling back on embedded target %s\n", p) - } - rd, ok := e.embeddedRepo.(fs.ReadFileFS) - if !ok { - return nil, errors.New("fs.ReadFileFS unimplemented for embedded repo") - } - b, err := rd.ReadFile(filepath.FromSlash(filepath.Join("repository", "targets", p))) - if err != nil { - return nil, err - } - // Unfortunately go:embed appears to somehow replace our line endings on windows, we need to switch them back. - // It should theoretically be safe to do this everywhere - but the files only seem to get mutated on Windows so - // let's only change them back there. - if runtime.GOOS == "windows" { - return bytes.ReplaceAll(b, []byte("\r\n"), []byte("\n")), nil - } - return b, nil -} - -func (e *embeddedWrapper) Set(name string, b []byte) error { - // If Set is called, our embedded cache is busted so we need to move over to the writeable targetsImpl. - if !e.modified { - ed, ok := e.embeddedRepo.(fs.ReadDirFS) - if !ok { - return errors.New("fs.ReadFileFS unimplemented for embedded repo") - } - entries, err := ed.ReadDir(filepath.FromSlash(filepath.Join("repository", "targets"))) - if err != nil { - return err - } - rd, ok := e.embeddedRepo.(fs.ReadFileFS) - if !ok { - return errors.New("fs.ReadFileFS unimplemented for embedded repo") - } - // Copy targets to the writeable store so we can find all of them later. - for _, entry := range entries { - b, err := rd.ReadFile(filepath.FromSlash(filepath.Join("repository", "targets", entry.Name()))) - if err != nil { - return fmt.Errorf("reading embedded file: %w", err) - } - if err := e.writeable.Set(entry.Name(), b); err != nil { - return fmt.Errorf("setting embedded file: %w", err) - } - } - } - // Now that we Set a target, we are now in a "modified" state and must check the writeable - // store for targets. - e.modified = true - return e.writeable.Set(name, b) -} - // In-memory cache for targets type memoryCache struct { targets map[string][]byte @@ -763,7 +566,6 @@ func (m *memoryCache) Set(p string, b []byte) error { func (m *memoryCache) Get(p string) ([]byte, error) { if m.targets == nil { - // This should never happen, a memory cache is used only after items are Set. return nil, fmt.Errorf("no cached targets available, cannot retrieve %s", p) } b, ok := m.targets[p] diff --git a/pkg/cosign/tuf/client_test.go b/pkg/cosign/tuf/client_test.go index cd57e54c311..fb89a7f1404 100644 --- a/pkg/cosign/tuf/client_test.go +++ b/pkg/cosign/tuf/client_test.go @@ -94,16 +94,25 @@ func TestNoCache(t *testing.T) { td := t.TempDir() t.Setenv("TUF_ROOT", td) + // First initialization, populate the cache. + tuf, err := NewFromEnv(ctx) + if err != nil { + t.Fatal(err) + } + checkTargetsAndMeta(t, tuf) + tuf.Close() + // Force expiration so we have some content to download forceExpiration(t, true) - tuf, err := NewFromEnv(ctx) + tuf, err = NewFromEnv(ctx) if err != nil { t.Fatal(err) } checkTargetsAndMeta(t, tuf) tuf.Close() + // No filesystem writes when using SIGSTORE_NO_CACHE. if l := dirLen(t, td); l != 0 { t.Errorf("expected no filesystem writes, got %d entries", l) } @@ -111,7 +120,7 @@ func TestNoCache(t *testing.T) { func TestCache(t *testing.T) { ctx := context.Background() - // Once more with NO_CACHE + // Once more with cache. t.Setenv("SIGSTORE_NO_CACHE", "false") td := t.TempDir() t.Setenv("TUF_ROOT", td) @@ -121,26 +130,38 @@ func TestCache(t *testing.T) { t.Errorf("expected no filesystem writes, got %d entries", l) } - // Nothing should get downloaded if everything is up to date - forceExpiration(t, false) + // First initialization, populate the cache. Expect disk writes. tuf, err := NewFromEnv(ctx) if err != nil { t.Fatal(err) } + checkTargetsAndMeta(t, tuf) tuf.Close() + cachedDirLen := dirLen(t, td) + if cachedDirLen == 0 { + t.Errorf("expected filesystem writes, got %d entries", cachedDirLen) + } - if l := dirLen(t, td); l != 0 { - t.Errorf("expected no filesystem writes, got %d entries", l) + // Nothing should get downloaded if everything is up to date. + forceExpiration(t, false) + tuf, err = NewFromEnv(ctx) + if err != nil { + t.Fatal(err) } + tuf.Close() - // Force expiration so that content gets downloaded. This should write to disk + if l := dirLen(t, td); cachedDirLen != l { + t.Errorf("expected no filesystem writes, got %d entries", l-cachedDirLen) + } + + // Forcing expiration, but expect no disk writes because all targets up to date. forceExpiration(t, true) tuf, err = NewFromEnv(ctx) if err != nil { t.Fatal(err) } - if l := dirLen(t, td); l == 0 { + if l := dirLen(t, td); l != cachedDirLen { t.Errorf("expected filesystem writes, got %d entries", l) } checkTargetsAndMeta(t, tuf) diff --git a/pkg/cosign/tuf/repository/1.root.json b/pkg/cosign/tuf/repository/1.root.json deleted file mode 100644 index dcc71f963a8..00000000000 --- a/pkg/cosign/tuf/repository/1.root.json +++ /dev/null @@ -1,130 +0,0 @@ -{ - "signatures": [ - { - "keyid": "2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97", - "sig": "30450221008a35d51da0f845301a5eac98ad0df00a934f59b709c1eaf81c86be734d9356f80220742942325599749800f52675f6efe124345980a2a636c0dc76f9caf9fc3123b0" - }, - { - "keyid": "bdde902f5ec668179ff5ca0dabf7657109287d690bf97e230c21d65f99155c62", - "sig": "3045022100ef9157ece2a09baec1eab80adfc00b04da20b1f9a0d1b47c5dabc4506719ef2c022074f72acd57398e4ddc8c2a5040df902961e9615dca48f3fbe38cbb506e500066" - }, - { - "keyid": "eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b", - "sig": "30450220420fdc9a09cd069b8b15fd8db9cedf7d0dee75871bd1cfee77c926d4120a770002210097553b5ad0d6b4a13902ed37509638bb63a9009f78230cd56c802909ffbfead7" - }, - { - "keyid": "f40f32044071a9365505da3d1e3be6561f6f22d0e60cf51df783999f6c3429cb", - "sig": "304502202aaf32e66f90752f658672b085ecfe45cc1ad31ee6cf5c9ad05f3267685f8d88022100b5df02acdaa371123db9d7a42219553fe079b230b168833e951be7ee56ded347" - }, - { - "keyid": "f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209", - "sig": "304402205d420c7d05c58980c1c9f7d221f53b5334aae27a447d2a91c2ceddd685269749022039ec83e51f8e1779d7f0142dfa4a5bbecfe327fc0b91b7416090fea2416fd53a" - } - ], - "signed": { - "_type": "root", - "consistent_snapshot": false, - "expires": "2021-12-18T13:28:12.99008-06:00", - "keys": { - "2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa-sha2-nistp256", - "keyval": { - "public": "04cbc5cab2684160323c25cd06c3307178a6b1d1c9b949328453ae473c5ba7527e35b13f298b41633382241f3fd8526c262d43b45adee5c618fa0642c82b8a9803" - }, - "scheme": "ecdsa-sha2-nistp256" - }, - "bdde902f5ec668179ff5ca0dabf7657109287d690bf97e230c21d65f99155c62": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa-sha2-nistp256", - "keyval": { - "public": "04a71aacd835dc170ba6db3fa33a1a33dee751d4f8b0217b805b9bd3242921ee93672fdcfd840576c5bb0dc0ed815edf394c1ee48c2b5e02485e59bfc512f3adc7" - }, - "scheme": "ecdsa-sha2-nistp256" - }, - "eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa-sha2-nistp256", - "keyval": { - "public": "04117b33dd265715bf23315e368faa499728db8d1f0a377070a1c7b1aba2cc21be6ab1628e42f2cdd7a35479f2dce07b303a8ba646c55569a8d2a504ba7e86e447" - }, - "scheme": "ecdsa-sha2-nistp256" - }, - "f40f32044071a9365505da3d1e3be6561f6f22d0e60cf51df783999f6c3429cb": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa-sha2-nistp256", - "keyval": { - "public": "04cc1cd53a61c23e88cc54b488dfae168a257c34fac3e88811c55962b24cffbfecb724447999c54670e365883716302e49da57c79a33cd3e16f81fbc66f0bcdf48" - }, - "scheme": "ecdsa-sha2-nistp256" - }, - "f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa-sha2-nistp256", - "keyval": { - "public": "048a78a44ac01099890d787e5e62afc29c8ccb69a70ec6549a6b04033b0a8acbfb42ab1ab9c713d225cdb52b858886cf46c8e90a7f3b9e6371882f370c259e1c5b" - }, - "scheme": "ecdsa-sha2-nistp256" - } - }, - "roles": { - "root": { - "keyids": [ - "2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97", - "bdde902f5ec668179ff5ca0dabf7657109287d690bf97e230c21d65f99155c62", - "eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b", - "f40f32044071a9365505da3d1e3be6561f6f22d0e60cf51df783999f6c3429cb", - "f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209" - ], - "threshold": 3 - }, - "snapshot": { - "keyids": [ - "2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97", - "bdde902f5ec668179ff5ca0dabf7657109287d690bf97e230c21d65f99155c62", - "eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b", - "f40f32044071a9365505da3d1e3be6561f6f22d0e60cf51df783999f6c3429cb", - "f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209" - ], - "threshold": 3 - }, - "targets": { - "keyids": [ - "2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97", - "bdde902f5ec668179ff5ca0dabf7657109287d690bf97e230c21d65f99155c62", - "eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b", - "f40f32044071a9365505da3d1e3be6561f6f22d0e60cf51df783999f6c3429cb", - "f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209" - ], - "threshold": 3 - }, - "timestamp": { - "keyids": [ - "2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97", - "bdde902f5ec668179ff5ca0dabf7657109287d690bf97e230c21d65f99155c62", - "eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b", - "f40f32044071a9365505da3d1e3be6561f6f22d0e60cf51df783999f6c3429cb", - "f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209" - ], - "threshold": 3 - } - }, - "spec_version": "1.0", - "version": 1 - } -} \ No newline at end of file diff --git a/pkg/cosign/tuf/repository/2.root.json b/pkg/cosign/tuf/repository/2.root.json deleted file mode 100644 index 386ebe62c1e..00000000000 --- a/pkg/cosign/tuf/repository/2.root.json +++ /dev/null @@ -1,144 +0,0 @@ -{ - "signatures": [ - { - "keyid": "2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97", - "sig": "3046022100d3ea59490b253beae0926c6fa63f54336dea1ed700555be9f27ff55cd347639c0221009157d1ba012cead81948a4ab777d355451d57f5c4a2d333fc68d2e3f358093c2" - }, - { - "keyid": "bdde902f5ec668179ff5ca0dabf7657109287d690bf97e230c21d65f99155c62", - "sig": "304502206eaef40564403ce572c6d062e0c9b0aab5e0223576133e081e1b495e8deb9efd02210080fd6f3464d759601b4afec596bbd5952f3a224cd06ed1cdfc3c399118752ba2" - }, - { - "keyid": "eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b", - "sig": "304502207baace02f56d8e6069f10b6ff098a26e7f53a7f9324ad62cffa0557bdeb9036c022100fb3032baaa090d0040c3f2fd872571c84479309b773208601d65948df87a9720" - }, - { - "keyid": "f40f32044071a9365505da3d1e3be6561f6f22d0e60cf51df783999f6c3429cb", - "sig": "304402205180c01905505dd88acd7a2dad979dd75c979b3722513a7bdedac88c6ae8dbeb022056d1ddf7a192f0b1c2c90ff487de2fb3ec9f0c03f66ea937c78d3b6a493504ca" - }, - { - "keyid": "f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209", - "sig": "3046022100c8806d4647c514d80fd8f707d3369444c4fd1d0812a2d25f828e564c99790e3f022100bb51f12e862ef17a7d3da2ac103bebc5c7e792237006c4cafacd76267b249c2f" - } - ], - "signed": { - "_type": "root", - "consistent_snapshot": false, - "expires": "2022-05-11T19:09:02.663975009Z", - "keys": { - "2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa-sha2-nistp256", - "keyval": { - "public": "04cbc5cab2684160323c25cd06c3307178a6b1d1c9b949328453ae473c5ba7527e35b13f298b41633382241f3fd8526c262d43b45adee5c618fa0642c82b8a9803" - }, - "scheme": "ecdsa-sha2-nistp256" - }, - "b6710623a30c010738e64c5209d367df1c0a18cf90e6ab5292fb01680f83453d": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa-sha2-nistp256", - "keyval": { - "public": "04fa1a3e42f2300cd3c5487a61509348feb1e936920fef2f83b7cd5dbe7ba045f538725ab8f18a666e6233edb7e0db8766c8dc336633449c5e1bbe0c182b02df0b" - }, - "scheme": "ecdsa-sha2-nistp256" - }, - "bdde902f5ec668179ff5ca0dabf7657109287d690bf97e230c21d65f99155c62": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa-sha2-nistp256", - "keyval": { - "public": "04a71aacd835dc170ba6db3fa33a1a33dee751d4f8b0217b805b9bd3242921ee93672fdcfd840576c5bb0dc0ed815edf394c1ee48c2b5e02485e59bfc512f3adc7" - }, - "scheme": "ecdsa-sha2-nistp256" - }, - "eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa-sha2-nistp256", - "keyval": { - "public": "04117b33dd265715bf23315e368faa499728db8d1f0a377070a1c7b1aba2cc21be6ab1628e42f2cdd7a35479f2dce07b303a8ba646c55569a8d2a504ba7e86e447" - }, - "scheme": "ecdsa-sha2-nistp256" - }, - "f40f32044071a9365505da3d1e3be6561f6f22d0e60cf51df783999f6c3429cb": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa-sha2-nistp256", - "keyval": { - "public": "04cc1cd53a61c23e88cc54b488dfae168a257c34fac3e88811c55962b24cffbfecb724447999c54670e365883716302e49da57c79a33cd3e16f81fbc66f0bcdf48" - }, - "scheme": "ecdsa-sha2-nistp256" - }, - "f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa-sha2-nistp256", - "keyval": { - "public": "048a78a44ac01099890d787e5e62afc29c8ccb69a70ec6549a6b04033b0a8acbfb42ab1ab9c713d225cdb52b858886cf46c8e90a7f3b9e6371882f370c259e1c5b" - }, - "scheme": "ecdsa-sha2-nistp256" - }, - "fc61191ba8a516fe386c7d6c97d918e1d241e1589729add09b122725b8c32451": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa-sha2-nistp256", - "keyval": { - "public": "044c7793ab74b9ddd713054e587b8d9c75c5f6025633d0fef7ca855ed5b8d5a474b23598fe33eb4a63630d526f74d4bdaec8adcb51993ed65652d651d7c49203eb" - }, - "scheme": "ecdsa-sha2-nistp256" - } - }, - "roles": { - "root": { - "keyids": [ - "2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97", - "bdde902f5ec668179ff5ca0dabf7657109287d690bf97e230c21d65f99155c62", - "eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b", - "f40f32044071a9365505da3d1e3be6561f6f22d0e60cf51df783999f6c3429cb", - "f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209" - ], - "threshold": 3 - }, - "snapshot": { - "keyids": [ - "fc61191ba8a516fe386c7d6c97d918e1d241e1589729add09b122725b8c32451" - ], - "threshold": 1 - }, - "targets": { - "keyids": [ - "2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97", - "bdde902f5ec668179ff5ca0dabf7657109287d690bf97e230c21d65f99155c62", - "eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b", - "f40f32044071a9365505da3d1e3be6561f6f22d0e60cf51df783999f6c3429cb", - "f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209" - ], - "threshold": 3 - }, - "timestamp": { - "keyids": [ - "b6710623a30c010738e64c5209d367df1c0a18cf90e6ab5292fb01680f83453d" - ], - "threshold": 1 - } - }, - "spec_version": "1.0", - "version": 2 - } -} \ No newline at end of file diff --git a/pkg/cosign/tuf/repository/rekor.json b/pkg/cosign/tuf/repository/rekor.json deleted file mode 100644 index f86930d537b..00000000000 --- a/pkg/cosign/tuf/repository/rekor.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "signatures": [ - { - "keyid": "ae0c689c6347ada7359df48934991f4e013193d6ddf3482a5ffb293f74f3b217", - "sig": "3045022076eadd73f6664bac5cc91f12d3a7ddcdd53f9bde661f147651196ff66e7235d1022100f7b3143792405f9e8a75331a05d4128bdf083de302801e99c3d027919a4b03da" - } - ], - "signed": { - "_type": "targets", - "expires": "2022-05-11T19:10:11Z", - "spec_version": "1.0", - "targets": { - "rekor.0.pub": { - "hashes": { - "sha256": "dce5ef715502ec9f3cdfd11f8cc384b31a6141023d3e7595e9908a81cb6241bd", - "sha512": "0ae7705e02db33e814329746a4a0e5603c5bdcd91c96d072158d71011a2695788866565a2fec0fe363eb72cbcaeda39e54c5fe8d416daf9f3101fdba4217ef35" - }, - "length": 178 - } - }, - "version": 1 - } -} \ No newline at end of file diff --git a/pkg/cosign/tuf/repository/snapshot.json b/pkg/cosign/tuf/repository/snapshot.json deleted file mode 100644 index c0e3ca3030d..00000000000 --- a/pkg/cosign/tuf/repository/snapshot.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "signatures": [ - { - "keyid": "fc61191ba8a516fe386c7d6c97d918e1d241e1589729add09b122725b8c32451", - "sig": "3045022100cffd67c2d0339acb9d045f06dfbc81cfedbb49c0b68f95df3d449198d7957a6d022071a28a25789bbe13b8838c88f1f48d401fb15151a0689f51007dbca502408d38" - } - ], - "signed": { - "_type": "snapshot", - "expires": "2022-01-29T00:38:36Z", - "meta": { - "rekor.json": { - "hashes": { - "sha256": "a7412a87f8d7b330e0380b19a4a76c00357c39a1aa7f56fd87445d4e12faafe4", - "sha512": "720cb3c42bac50c5bc3cb7076e730301ef29f1893ea52e25f9393fc05851c7a531638c42d9fc992969805982a2bf51d676e33d28a7382ea589b5a9f87474c63f" - }, - "length": 697, - "version": 1 - }, - "root.json": { - "hashes": { - "sha256": "f5ad897c9414cca99629f400ac3585e41bd8ebb44c5af07fb08dd636a9eced9c", - "sha512": "7445ddfdd338ef786c324fc3d68f75be28cb95b7fb581d2a383e3e5dde18aa17029a5636ec0a22e9631931bbcb34057788311718ea41e21e7cdd3c0de13ede42" - }, - "length": 5297, - "version": 2 - }, - "staging.json": { - "hashes": { - "sha256": "c7f32379c2a76f0ec0af84e86794a8f4fe285e44fb62f336d598810dccdc7343", - "sha512": "5462cb15fe5248a12cc12387a732ad43caf42391361f36113ea3d4b7e5e193cdf39fbe91c309c0691134377cb83afeba50cf6d711537d8280ce16ce9cd8752ba" - }, - "length": 399, - "version": 1 - }, - "targets.json": { - "hashes": { - "sha256": "18d10c07c8d6bd7484772b02dcc988d0abf8a0fa379d5893a502410590c17fe6", - "sha512": "c2ba2a84820288997c8fae264776df7b262dde97c4f9e0320ad354879ce5afabd1d43494734fecffd23253442a14cfe217787de8b65cf7fd1f03130b72a0767c" - }, - "length": 4167, - "version": 2 - } - }, - "spec_version": "1.0", - "version": 10 - } -} \ No newline at end of file diff --git a/pkg/cosign/tuf/repository/staging.json b/pkg/cosign/tuf/repository/staging.json deleted file mode 100644 index 084010de75c..00000000000 --- a/pkg/cosign/tuf/repository/staging.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "signatures": [ - { - "keyid": "b811bd53f2d7adcf5d93e6bb4a8ed2e0ca0f83d454a3e51f105c8e8376bc80d4", - "sig": "304502204486f7b23eadb69df87776ac7a4938ac75a8a2b2e93c84c05d962373837ea91c022100aaeb0fa587430f49618711bb4bd0c1092637c22c223d03c0f1b5a09baea0ed9f" - } - ], - "signed": { - "_type": "targets", - "expires": "2022-02-11T20:10:16Z", - "spec_version": "1.0", - "targets": {}, - "version": 1 - } -} \ No newline at end of file diff --git a/pkg/cosign/tuf/repository/targets.json b/pkg/cosign/tuf/repository/targets.json deleted file mode 100644 index b26926a438f..00000000000 --- a/pkg/cosign/tuf/repository/targets.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "signatures": [ - { - "keyid": "2f64fb5eac0cf94dd39bb45308b98920055e9a0d8e012a7220787834c60aef97", - "sig": "3046022100cc1b2ed390e75a112c0fdd6bcbd8bb775300a410f5737ae39996b1858753c8e4022100b591f73370e9378914fb2fab837f700661abd1a74c680f139f6164ec12cb538f" - }, - { - "keyid": "bdde902f5ec668179ff5ca0dabf7657109287d690bf97e230c21d65f99155c62", - "sig": "3045022100bc6c45a125e45507339af96aa63983e847565c769f20d7d71bcd2deb7bd36ea902202bf6bd3b76d434c318287899e53f64b4dc178eb0ba403080f1c4fba88a2177ca" - }, - { - "keyid": "eaf22372f417dd618a46f6c627dbc276e9fd30a004fc94f9be946e73f8bd090b", - "sig": "304502210085d5bc8a158d31536b4e76cddceef25185c7abbe9091b84f5f2b0d615d9b4ee90220136a36fed2d5986c2519b7d165556f20dfe41fddececda48dffa8dec5258cb95" - }, - { - "keyid": "f40f32044071a9365505da3d1e3be6561f6f22d0e60cf51df783999f6c3429cb", - "sig": "304402202fe73a61dfe05b4202bc50f66e52bba3d3475134434dab9576735caed659b03c0220449755a87f4dab9961566f10477204637b2415f87e162b58a23b13327dec53e3" - }, - { - "keyid": "f505595165a177a41750a8e864ed1719b1edfccd5a426fd2c0ffda33ce7ff209", - "sig": "304602210091f453ef75c5178299175734355a65a2fc2d0ee137410f46ba8439d99037fc08022100fc800d15f0b751fa225a77542928f4264835c013054a5c409c674e2ea5a70384" - } - ], - "signed": { - "_type": "targets", - "delegations": { - "keys": { - "ae0c689c6347ada7359df48934991f4e013193d6ddf3482a5ffb293f74f3b217": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa-sha2-nistp256", - "keyval": { - "public": "043463588ae9df33a419d1099761245af52aaf7e638b2047bc0f739a62de9808c50a21ea8a1a273799f857f31a1bcb66e6661dd9d5ac7ac3ca260b0b8130c3fed8" - }, - "scheme": "ecdsa-sha2-nistp256" - }, - "b811bd53f2d7adcf5d93e6bb4a8ed2e0ca0f83d454a3e51f105c8e8376bc80d4": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa-sha2-nistp256", - "keyval": { - "public": "041b4b13a6e7110292d284c0dbfc3962a12d2a779a800c99aff59c6afe779296943c75d84aa5bad0be28e4061cf93e0cd3d372d9b2f75ea9f29b907cbccd82006f" - }, - "scheme": "ecdsa-sha2-nistp256" - } - }, - "roles": [ - { - "keyids": [ - "ae0c689c6347ada7359df48934991f4e013193d6ddf3482a5ffb293f74f3b217" - ], - "name": "rekor", - "paths": [ - "rekor.*.pub" - ], - "terminating": true, - "threshold": 1 - }, - { - "keyids": [ - "b811bd53f2d7adcf5d93e6bb4a8ed2e0ca0f83d454a3e51f105c8e8376bc80d4" - ], - "name": "staging", - "paths": [ - "*" - ], - "terminating": false, - "threshold": 1 - } - ] - }, - "expires": "2022-05-11T19:10:16Z", - "spec_version": "1.0", - "targets": { - "artifact.pub": { - "hashes": { - "sha256": "59ebf97a9850aecec4bc39c1f5c1dc46e6490a6b5fd2a6cacdcac0c3a6fc4cbf", - "sha512": "308fd1d1d95d7f80aa33b837795251cc3e886792982275e062409e13e4e236ffc34d676682aa96fdc751414de99c864bf132dde71581fa651c6343905e3bf988" - }, - "length": 177 - }, - "ctfe.pub": { - "hashes": { - "sha256": "7fcb94a5d0ed541260473b990b99a6c39864c1fb16f3f3e594a5a3cebbfe138a", - "sha512": "4b20747d1afe2544238ad38cc0cc3010921b177d60ac743767e0ef675b915489bd01a36606c0ff83c06448622d7160f0d866c83d20f0c0f44653dcc3f9aa0bd4" - }, - "length": 177 - }, - "fulcio.crt.pem": { - "hashes": { - "sha256": "f360c53b2e13495a628b9b8096455badcb6d375b185c4816d95a5d746ff29908", - "sha512": "0713252a7fd17f7f3ab12f88a64accf2eb14b8ad40ca711d7fe8b4ecba3b24db9e9dffadb997b196d3867b8f9ff217faf930d80e4dab4e235c7fc3f07be69224" - }, - "length": 744 - }, - "fulcio_v1.crt.pem": { - "hashes": { - "sha256": "f989aa23def87c549404eadba767768d2a3c8d6d30a8b793f9f518a8eafd2cf5", - "sha512": "f2e33a6dc208cee1f51d33bbea675ab0f0ced269617497985f9a0680689ee7073e4b6f8fef64c91bda590d30c129b3070dddce824c05bc165ac9802f0705cab6" - }, - "length": 740 - }, - "rekor.pub": { - "hashes": { - "sha256": "dce5ef715502ec9f3cdfd11f8cc384b31a6141023d3e7595e9908a81cb6241bd", - "sha512": "0ae7705e02db33e814329746a4a0e5603c5bdcd91c96d072158d71011a2695788866565a2fec0fe363eb72cbcaeda39e54c5fe8d416daf9f3101fdba4217ef35" - }, - "length": 178 - } - }, - "version": 2 - } -} \ No newline at end of file diff --git a/pkg/cosign/tuf/repository/timestamp.json b/pkg/cosign/tuf/repository/timestamp.json deleted file mode 100644 index 2030e49d9a6..00000000000 --- a/pkg/cosign/tuf/repository/timestamp.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "signatures": [ - { - "keyid": "b6710623a30c010738e64c5209d367df1c0a18cf90e6ab5292fb01680f83453d", - "sig": "3045022100b4cda580b371e32ce938d03676208b394942f6205eb8ebe8650ec5b366ac5cd7022038ce51f5e3de90849ff728c21179484135b286563f60c906f0db5d999fd676d7" - } - ], - "signed": { - "_type": "timestamp", - "expires": "2022-01-29T00:38:38Z", - "meta": { - "snapshot.json": { - "hashes": { - "sha256": "c4d26ba0e5c0b142c26b9cb11caedac1f29134275190da8f2cb981f2d8a13236", - "sha512": "db3c7a61418fd050a6af04f9d3bb2b359785fd5b4b323516740c76b413df0deae0d81f4bab0abce7abe077584110c00e0f35eeee5155abb7be1b74975794a8fe" - }, - "length": 1657, - "version": 10 - } - }, - "spec_version": "1.0", - "version": 10 - } -} \ No newline at end of file