-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move fulcioroots and tuf packages from cosign #435
Conversation
The lint check is failing due to un-doc-commented exported methods, but I think I'd rather just leave those as-is than balloon the changes in this PR. If folks feel strongly about having these commented I think we should do that in a separate PR. |
go.mod
Outdated
@@ -33,6 +33,11 @@ require ( | |||
gopkg.in/square/go-jose.v2 v2.6.0 | |||
) | |||
|
|||
require ( | |||
cloud.google.com/go/storage v1.10.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Were there concerns about pulling in this library? Was it just due to size?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I'd like to replace it with regular HTTP calls instead of taking a dependency on this GCS package. It's not huge, it's just mostly unnecessary.
Any more concerns here? If not I can merge and un-WIP sigstore/cosign#1866 to start using this. |
This is a large pr, I want to double check nothing has changed. I don’t have a lot of confidence that a break would be detected once this is used in cosign due to the lack of tests. |
This LGTM - If you're able to wait a few days, it'd be nice to also get @asraa's LGTM since she's the author of the TUF changes. |
I'm back in office and taking a look! |
There's active debugging on the TUF client from a recent postmortem, so we may want to hold off on submitting this until that's resolved, as we'd like to get the bug fixed before 1.0 |
In particular this is probably worth waiting for the fix for: sigstore/cosign#1899 |
Sounds good, I've converted to a draft for now. After the issue is resolved I can pick it back up. |
After we do this: should probably consider sigstore/cosign#1935 |
I'd be fine cleaning it up first then moving it, too. There's no real rush to move it, especially if it causes confusion during cleanups or bug fixes. |
I'd like to pick this up again after the TUF changes that blocked us last time, and after sigstore/cosign#1967 -- let me know if there's anything else I should wait for, otherwise I'll update this PR. |
* fix: fix fetching updated targets from TUF root Signed-off-by: Asra Ali <asraa@google.com> add comment Signed-off-by: Asra Ali <asraa@google.com> update Signed-off-by: Asra Ali <asraa@google.com> update Signed-off-by: Asra Ali <asraa@google.com> possible fix windows Signed-off-by: Asra Ali <asraa@google.com> lint Signed-off-by: Asra Ali <asraa@google.com> fix windows maybe Signed-off-by: Asra Ali <asraa@google.com> fix close Signed-off-by: Asra Ali <asraa@google.com> * update zack comments Signed-off-by: Asra Ali <asraa@google.com> update fix Signed-off-by: Asra Ali <asraa@google.com> update and add some debug Signed-off-by: Asra Ali <asraa@google.com> add debug Signed-off-by: Asra Ali <asraa@google.com> no cache Signed-off-by: Asra Ali <asraa@google.com> remove debug Signed-off-by: Asra Ali <asraa@google.com> * try haydens comments Signed-off-by: Asra Ali <asraa@google.com> * Use Rekor API for pubkeys before TUF if so specified. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Address PR feedback, bump golangci-lint from 1.46.0 to 1.46.2 Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Add comments for the env variables. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Use path instead of filepath, basically revert to what it was before. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * ho hum, really just use the path. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * When interacting with fs do not use OS specific separators. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * fix windows line endings Signed-off-by: Asra Ali <asraa@google.com> * pass embedded into initialization Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: Ville Aikas <vaikas@chainguard.dev> Signed-off-by: Jason Hall <jason@chainguard.dev>
* move rekor public key fetch inside GetRekorPubs Signed-off-by: Asra Ali <asraa@google.com> * use in-memory metadata and targets, sync to disk on start and updates Signed-off-by: Asra Ali <asraa@google.com> update Signed-off-by: Asra Ali <asraa@google.com> * Use TUF singleton. Co-authored-by: Ville Aikas <vaikas@chainguard.dev> Signed-off-by: Asra Ali <asraa@google.com> * hayden comment, sync.Once used Signed-off-by: Asra Ali <asraa@google.com> * return global error Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: Ville Aikas <vaikas@chainguard.dev> Signed-off-by: Jason Hall <jason@chainguard.dev>
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com> Signed-off-by: Jason Hall <jason@chainguard.dev>
Signed-off-by: Jason Hall <jason@chainguard.dev>
Signed-off-by: Jason Hall <jason@chainguard.dev>
Signed-off-by: Jason Hall <jason@chainguard.dev>
Signed-off-by: Jason Hall <jason@chainguard.dev>
Signed-off-by: Jason Hall <jason@chainguard.dev>
Lint failures seemingly related |
Yeah, there's a lot of un-godoc'ed code in the tuf and fulcioroots packages. I suspect some of them can be addressed by more aggressively unexporting types that don't need to be exported, and godoc'ing the rest, but I don't feel confident enough to document this code well. I did a little bit of lint-hunting in a previous iteration of this work, which I've done now on this one, but I think the rest should be addressed in a separate PR. |
Signed-off-by: Jason Hall <jason@chainguard.dev>
Works for me, but is there any way to disable the linter on this code for now so we don't break HEAD? |
Signed-off-by: Jason Hall <jason@chainguard.dev>
I've updated the lint action to only complain about findings in changed lines, that will at least let other PRs get merged while these are un-godoc'd. We'll still need someone to force-merge this over the complaints of the linter in this change though. Or make the check not-required. |
Can you exclude whole directories/specific files instead? IMO that makes more sense, then we can remove that restriction in a follow-up PR and doesn't require any kind of override. |
Signed-off-by: Jason Hall <jason@chainguard.dev>
Good call, done! |
Gentle ping @haydentherapper @asraa -- I'd love to get this in before anything else touches these packages. |
Ooo today, will take a look tomorrow! |
Here we goooo! |
Summary
This moves these packages from sigstore/cosign into sigstore/sigstore.
pkg/fulcioroots
comes from cosign'scmd/cosign/cli/fulcio/fulcioroots@2ccdb3
, and drops that package's behavior when theSIGSTORE_ROOT_FILE
env var is set -- this will remain insigstore/cosign
.pkg/tuf
comes from cosign'spkg/cosign/tuf@2ccdb3
and is otherwise largely unchanged. Some methods were unexported that aren't used outside of this package.Part of sigstore/cosign#1865
Release Note