Skip to content

Separate TUF and trusted root management code #844

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jan 4, 2024
Merged

Separate TUF and trusted root management code #844

merged 3 commits into from
Jan 4, 2024

Conversation

jku
Copy link
Member

@jku jku commented Dec 19, 2023
edited
Loading

Summary

The purpose of this is to later enable both "--trust-root " and some sort of "--offline" functionality.

  • Trust root can now be initialized from tuf, offline tuf or from a file
  • _internal.tuf module is now used only from the new _internal.trustroot module
  • all "trust root parsing" was moved from _internal.tuf to _internal.trustroot
  • Tests are modified to use the trustroot module now but they still (also) test the internal TUF implementation details
  • The new functionality (offline & from_file) is tested but is not exposed to UI

Some details

The main functional change as I see it is in TrustedRoot/TrustUpdater initialization. There are three possible scenarios (once this is exposed through UI):

  • A trust root is provided as a file: TrustedRoot never instantiates a TrustUpdater
  • offline is requested: A TrustUpdater is instantiated but it does no TUF operations (only returns trust root from cache)
  • default: TrustUpdater is instantiated and it refreshes from repository immediately (since we know it will be used)

This leads to some minor test changes but nothing too bad.

Release Note

No release notes, I think: This should not change API or cli at this point

@jku jku force-pushed the trust-root-refactor branch 2 times, most recently from 0fbfb0f to 2c23aa8 Compare December 19, 2023 13:01
This was referenced Dec 19, 2023
Open
Open
@woodruffw woodruffw added component:tuf TUF related components enhancement New feature or request labels Dec 19, 2023
jku added 2 commits January 3, 2024 16:12
@jku
Separate TUF and trusted root management code
650a857 
The purpose of this is to later enable both "--trust-root <FILE>" and
some sort of offline functionality.
 * Trusted root can now be initialized from tuf, offline tuf or
   from a file
 * _internal.tuf module is now used only from the new trustroot module
 * Tests are modified to use the CustomTrustRoot API now but they still
   (also) test the internal TUF implementation details
 * The new functionality (offline & from_file) is tested but is not
   exposed to UI
 * TrustUpdater now updates metadata when it is created (if not offline):
   This does not change application functionality as a online
   TrustUpdater is only created if a TUF update is needed

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
Rename CustomTrustedRoot to TrustedRoot
a314bbc 
All other modules should be using our customized version so
the rename should be ok: only trustroot module needs a single
"import as" shenanigan.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku jku force-pushed the trust-root-refactor branch from 2c23aa8 to a314bbc Compare January 3, 2024 14:31
@jku jku marked this pull request as ready for review January 3, 2024 14:46
@woodruffw
Copy link
Member

Reviewing now!

@jku: mind doing an update/rebase? I'd do it myself, but that then causes problems with the number of required approvers.

jku
jku commented Jan 3, 2024
View reviewed changes
woodruffw
woodruffw approved these changes Jan 3, 2024
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@jku feel free to merge unless you'd like to address #844 (comment) in this PR; I'm fine either way 🙂

@jku jku merged commit 2835883 into sigstore:main Jan 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw approved these changes

Assignees
No one assigned
Labels
component:tuf TUF related components enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jku @woodruffw