diff --git a/install/requirements.txt b/install/requirements.txt index 907ecc0b5..5029e7d06 100644 --- a/install/requirements.txt +++ b/install/requirements.txt @@ -370,10 +370,11 @@ six==1.16.0 \ --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 # via python-dateutil -tuf==2.1.0 \ - --hash=sha256:ab22d1143d4d8aa20c94d243de27eedc8cd517e251ddaf4a88c10952358a13ea \ - --hash=sha256:dbfe18fbdeba6d76144931db88b76e473fa40c431b60d25b455a9adbb07c2397 +# tuf==2.1.0 \ +# --hash=sha256:ab22d1143d4d8aa20c94d243de27eedc8cd517e251ddaf4a88c10952358a13ea \ +# --hash=sha256:dbfe18fbdeba6d76144931db88b76e473fa40c431b60d25b455a9adbb07c2397 # via sigstore +git+https://github.com/emboman13/python-tuf-lazy-refresh/tree/offline.git typing-extensions==4.5.0 \ --hash=sha256:5cb5f4a79139d699607b3ef622a1dedafa84e115ab0024e0d9c044a9479ca7cb \ --hash=sha256:fb33085c39dd998ac16d1431ebc293a8b3eedd00fd4a32de0ff79002c19511b4 diff --git a/sigstore/_internal/tuf.py b/sigstore/_internal/tuf.py index eeafccad3..463070bdd 100644 --- a/sigstore/_internal/tuf.py +++ b/sigstore/_internal/tuf.py @@ -34,7 +34,7 @@ TrustedRoot, ) from tuf.api import exceptions as TUFExceptions -from tuf.ngclient import RequestsFetcher, Updater +from tuf.ngclient import RequestsFetcher, Updater, config from sigstore._utils import read_embedded from sigstore.errors import MetadataError, RootError, TUFError @@ -115,6 +115,8 @@ def __init__(self, url: str) -> None: """ self._repo_url = url self._metadata_dir, self._targets_dir = _get_dirs(url) + # change to get from args + self.offline = True rsrc_prefix: str if self._repo_url == DEFAULT_TUF_URL: @@ -168,18 +170,27 @@ def staging(cls) -> TrustUpdater: @lru_cache() def _updater(self) -> Updater: """Initialize and update the toplevel TUF metadata""" + if self.offline: + configClass = config.UpdaterConfig(offline=True) + else: + configClass = config.UpdaterConfig() updater = Updater( metadata_dir=str(self._metadata_dir), metadata_base_url=self._repo_url, target_base_url=parse.urljoin(f"{self._repo_url}/", "targets/"), target_dir=str(self._targets_dir), fetcher=_get_fetcher(), + config=configClass, ) # NOTE: we would like to avoid refresh if the toplevel metadata is valid. # https://github.com/theupdateframework/python-tuf/issues/2225 try: updater.refresh() + except TUFExceptions.ExpiredMetadataError as exp_e: + raise TUFError( + "Local metadata is not available and you are in offline mode" + ) from exp_e except Exception as e: raise TUFError("Failed to refresh TUF metadata") from e @@ -191,9 +202,14 @@ def _get_trusted_root(self) -> TrustedRoot: if root_info is None: raise TUFError("Unsupported TUF configuration: no trusted root") path = self._updater().find_cached_target(root_info) + # might have to change something here if path is None: try: path = self._updater().download_target(root_info) + except TUFExceptions.ExpiredMetadataError as exp_e: + raise NameError( + "Local metadata is not available and you are in offline mode" + ) from exp_e except ( TUFExceptions.DownloadError, TUFExceptions.RepositoryError,