_cli: add plumbing update-trust-root
#1174
Conversation
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
|
Yeah, seems to work fine. My personal weak preference is for more verbose output, particularly if it could help us debug issues in the future. Thanks! |
No problem! And makes sense -- I'll mess around with potential outputs here. |
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
| _console.print( | ||
| f"Trust root updated: {len(trusted_root.get_fulcio_certs())} Fulcio certificates" | ||
| ) |
There was a problem hiding this comment.
It's not the best/most useful output, but it should be a visually obvious sign that the step hasn't quietly failed.
Another option here is to dump the trust root as JSON. Not sure how I feel about that, since I don't want people to assume a stable interface on this subcommand quite yet 😅
There was a problem hiding this comment.
I think that would be excessive verbose and/or might confuse people as to whether it was written to the file or whether the user needs to redirect the output. Perhaps it could print cache path too, like written to ....
There was a problem hiding this comment.
Yeah, let me see if I can get it to do that. That's somewhere in the guts of the TUF updater itself (which is in python-tuf, not here).
There was a problem hiding this comment.
I'm maybe not following which file you are talking about but I think exposing trusted_root.json location is the only thing that makes sense (as users can't do much with TUF files): that is easily available in all TrustedRoot constructors so you could store the path in TrustedRoot for potential console output later.
There was a problem hiding this comment.
Yeah, I was thinking trusted_root.json.
There was a problem hiding this comment.
Seems ok for a first iteration of a "plumbing" command. The fulcio cert count seems a bit useless so that could be the trusted root location instead
I suppose one option would be to add a file hash to the output: it's not friendly to humans but would be a little more auditable
This adds a new plumbing-level command:
update-trust-root. When run,sigstore plumbing update-trust-rootwill perform a TUF update for the appropriate production or staging trust root, depending on whether the top-level--stagingflag is used.Closes #1172.
CC @mgorny if you can, it'd be great to have you trial this locally to confirm it meets your needs! In particular it'd be useful to know if you'd prefer it to be "louder" in terms of outputs, i.e. print something on
stdout/stderr.