-
Notifications
You must be signed in to change notification settings - Fork 537
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add
cosign init
to initialize the SigStore root metadata (#520)
* verify TUF root Signed-off-by: Asra Ali <asraa@google.com> * use tuf root for rekor and fulcio data Signed-off-by: Asra Ali <asraa@google.com> * add local tests and configs Signed-off-by: Asra Ali <asraa@google.com> * update Signed-off-by: Asra Ali <asraa@google.com> * update gcs bucket to prod Signed-off-by: Asra Ali <asraa@google.com>
- Loading branch information
Showing
12 changed files
with
645 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -24,5 +24,8 @@ | |
*.libfuzzer | ||
*fuzz.a | ||
|
||
# Root metadata | ||
*.sigstore/root/ | ||
|
||
bin* | ||
dist/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
[ | ||
{ | ||
"keytype": "ecdsa-sha2-nistp256", | ||
"scheme": "ecdsa-sha2-nistp256", | ||
"keyid_hash_algorithms": [ | ||
"sha256", | ||
"sha512" | ||
], | ||
"keyval": { | ||
"public": "04cbc5cab2684160323c25cd06c3307178a6b1d1c9b949328453ae473c5ba7527e35b13f298b41633382241f3fd8526c262d43b45adee5c618fa0642c82b8a9803" | ||
} | ||
}, | ||
{ | ||
"keytype": "ecdsa-sha2-nistp256", | ||
"scheme": "ecdsa-sha2-nistp256", | ||
"keyid_hash_algorithms": [ | ||
"sha256", | ||
"sha512" | ||
], | ||
"keyval": { | ||
"public": "04a71aacd835dc170ba6db3fa33a1a33dee751d4f8b0217b805b9bd3242921ee93672fdcfd840576c5bb0dc0ed815edf394c1ee48c2b5e02485e59bfc512f3adc7" | ||
} | ||
}, | ||
{ | ||
"keytype": "ecdsa-sha2-nistp256", | ||
"scheme": "ecdsa-sha2-nistp256", | ||
"keyid_hash_algorithms": [ | ||
"sha256", | ||
"sha512" | ||
], | ||
"keyval": { | ||
"public": "04117b33dd265715bf23315e368faa499728db8d1f0a377070a1c7b1aba2cc21be6ab1628e42f2cdd7a35479f2dce07b303a8ba646c55569a8d2a504ba7e86e447" | ||
} | ||
}, | ||
{ | ||
"keytype": "ecdsa-sha2-nistp256", | ||
"scheme": "ecdsa-sha2-nistp256", | ||
"keyid_hash_algorithms": [ | ||
"sha256", | ||
"sha512" | ||
], | ||
"keyval": { | ||
"public": "04cc1cd53a61c23e88cc54b488dfae168a257c34fac3e88811c55962b24cffbfecb724447999c54670e365883716302e49da57c79a33cd3e16f81fbc66f0bcdf48" | ||
} | ||
}, | ||
{ | ||
"keytype": "ecdsa-sha2-nistp256", | ||
"scheme": "ecdsa-sha2-nistp256", | ||
"keyid_hash_algorithms": [ | ||
"sha256", | ||
"sha512" | ||
], | ||
"keyval": { | ||
"public": "048a78a44ac01099890d787e5e62afc29c8ccb69a70ec6549a6b04033b0a8acbfb42ab1ab9c713d225cdb52b858886cf46c8e90a7f3b9e6371882f370c259e1c5b" | ||
} | ||
} | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
// | ||
// Copyright 2021 The Sigstore Authors. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package cli | ||
|
||
import ( | ||
"context" | ||
"flag" | ||
|
||
"github.com/peterbourgon/ff/v3/ffcli" | ||
ctuf "github.com/sigstore/cosign/pkg/cosign/tuf" | ||
) | ||
|
||
func Init() *ffcli.Command { | ||
var ( | ||
flagset = flag.NewFlagSet("cosign init", flag.ExitOnError) | ||
// TODO: Support HTTP mirrors as well | ||
mirror = flagset.String("mirror", "sigstore-tuf-root", "GCS bucket to a SigStore TUF repository.") | ||
root = flagset.String("root", ".sigstore/keys.json", "path to trusted initial root.") | ||
threshold = flagset.Int("threshold", 3, "threshold of root key signers") | ||
) | ||
return &ffcli.Command{ | ||
Name: "init", | ||
ShortUsage: "cosign init -mirror <url> -out <file>", | ||
ShortHelp: `Initializes SigStore root to retrieve trusted certificate and key targets for verification.`, | ||
LongHelp: `Initializes SigStore root to retrieve trusted certificate and key targets for verification. | ||
The following options are used by default: | ||
- Initial root keys are pulled from .sigstore/keys. If it does not exist, uses root keys provided in the release. | ||
- SigStore current TUF repository is pulled from the GCS mirror at . | ||
- Resulting trusted metadata is written to .sigstore/root. | ||
To provide an out-of-band trusted root.json, copy the file into a directory named .sigstore/root/. | ||
The resulting updated TUF repository will be written to .sigstore/root/. | ||
Trusted keys and certificate used in cosign verification (e.g. verifying Fulcio issued certificates | ||
with Fulcio root CA) are pulled form the trusted metadata. | ||
EXAMPLES | ||
# initialize root with distributed root keys, default mirror, and default out path. | ||
cosign init | ||
# initialize with an out-of-band root key file. | ||
cosign init | ||
# initialize with an out-of-band root key file and custom repository mirror. | ||
cosign init-mirror <> | ||
`, | ||
FlagSet: flagset, | ||
Exec: func(ctx context.Context, args []string) error { | ||
// Initialize the remote repository. | ||
remote, err := ctuf.GcsRemoteStore(ctx, *mirror, nil, nil) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
// Initialize and update the local SigStore root. | ||
return ctuf.Init(context.Background(), *root, remote, *threshold) | ||
}, | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.