Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cleanup for TUF code #1935

Open
znewman01 opened this issue May 31, 2022 · 12 comments · Fixed by #1953
Open

Cleanup for TUF code #1935

znewman01 opened this issue May 31, 2022 · 12 comments · Fixed by #1953
Labels
bug Something isn't working

Comments

@znewman01
Copy link
Contributor

To fix #1899 @asraa submitted #1921. @vaikas stepped in to help with tests and adapted it to #1932. This appears to fix the bug, and I approved it because this has been blocking the Cosign release for more than a week (the new release contains #1894 which we should get out ASAP).

But #1921 contains some good suggestions for cleaning up that code; we should definitely do a bunch of them. It's important that this code be clear and testable.

CC @haydentherapper

@znewman01 znewman01 added the bug Something isn't working label May 31, 2022
@vaikas
Copy link
Contributor

vaikas commented May 31, 2022

FYI, just to make sure you're aware, but there's this PR moving much of the code sigstore/sigstore:
sigstore/sigstore#435

@asraa
Copy link
Contributor

asraa commented May 31, 2022

@asraa
Copy link
Contributor

asraa commented May 31, 2022

Another one: testing verification failure and TUF object closure #1932 (comment)

/~https://github.com/sigstore/cosign/runs/6643745610?check_suite_focus=true

  error: failed to create job: admission webhook "policy.sigstore.dev" denied the request: validation failed: failed policy: image-policy-keyless-with-identities: spec.template.spec.containers[0].image
  registry.local:5000/policy-controller/demo@sha256:903d83d6d129a07eda4aa5e39bc59471de598b9e5930acdc217c4184e94fddbd validate signatures with fulcio: no matching signatures:
  unable to fetch Rekor public keys from TUF repository: creating cached local store: resource temporarily unavailable
  + echo Failed to create Job in namespace with matching 'issuer/subject!'
  Failed to create Job in namespace with matching issuer/subject!

This seems to happen after the job rejection, and now currently passes after the ordering was switched, and retrieving the alt key happens before GetRekorPubs. Even if GetRekorPubs fails (as it does in the snippet above), the test passes because the alt key is at least fetched:

fmt.Fprintf(os.Stderr, "**Warning** Failed to fetch Rekor public keys from TUF, using the public key from Rekor API because %s was specified", addRekorPublicKeyFromRekor)

DONE: #1953

@asraa
Copy link
Contributor

asraa commented May 31, 2022

Cleanup GetEmbedded usage, but still keep easy-to-test

#1921 (comment)

@haydentherapper
Copy link
Contributor

I’m going to review 1921 today.

i would prefer we not submit 1932 without more discussion.

@asraa
Copy link
Contributor

asraa commented May 31, 2022

Another one: Cleanup the configurable remote /~https://github.com/sigstore/cosign/pull/1921/files#r882887941

@asraa
Copy link
Contributor

asraa commented May 31, 2022

Load all targets into memory at initialize to save time reading/writing to disk: #1921 (comment)

DONE: #1953

@asraa
Copy link
Contributor

asraa commented Jun 1, 2022

TUF Object concurrency fix: #1941

The leveldb underlying store cannot be used by multiple threads, causing failures where the local cache cannot be accessed. Fix by only creating a writeable DB store when needing to update, and otherwise read-only threadsafe

DONE: #1953

@asraa
Copy link
Contributor

asraa commented Jun 2, 2022

One more: Initialize CheckOpts for verification material with TUF, do not invoke our TUF client inside library functions. This will make it infinitely easier to test.

@znewman01
Copy link
Contributor Author

Asra, thanks for your hard work here, it's looking good 😄

Is this actually closed?

@asraa asraa reopened this Jun 8, 2022
@asraa
Copy link
Contributor

asraa commented Jun 8, 2022

Re-opening, the remaining items are:

  • Cleanup the GetEmbedded and GetRemoteRoot
  • Consolidate the Rekor pub overrides
  • Set RekorPubs in CheckOpts as we do for Fulcio roots so we aren't calling the TUF pkg from other internal packages. Makes cosign as a library more rovust.

@vaikas
Copy link
Contributor

vaikas commented Jan 5, 2023

I think the consolidate Rekor pub overrides has been done as well as 'Set RekorPubs in CheckOpts'.

I'm curious however about the need for this to be a singleton, especially since it is a library, it being a singleton makes some things more interesting. I know there's work going on with TAP-4 in the upstream, but in the meantime, if this were not a singleton, a user could create two instances of the TUF client, and now that the checkopts can be passed the keys independent of the TUF (TUF fetches, they are then passed to CheckOpts), I can't think of a reason for this being a singleton, but wouldn't be the first time I'm wrong :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants