From d86f5196b05988098dbb40ba90177ef57f6e6c50 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 19:11:24 +0000 Subject: [PATCH 01/25] chore(deps): Update base64 requirement from 0.21.0 to 0.22.0 Updates the requirements on [base64](https://github.com/marshallpierce/rust-base64) to permit the latest version. - [Changelog](https://github.com/marshallpierce/rust-base64/blob/master/RELEASE-NOTES.md) - [Commits](https://github.com/marshallpierce/rust-base64/compare/v0.21.0...v0.22.0) --- updated-dependencies: - dependency-name: base64 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index d401720339..075d9c1186 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -71,7 +71,7 @@ cached-client = ["cached"] [dependencies] async-trait = "0.1.52" -base64 = "0.21.0" +base64 = "0.22.0" cached = { version = "0.49.2", optional = true, features = ["async"] } cfg-if = "1.0.0" chrono = { version = "0.4.27", default-features = false, features = ["serde"] } From 950f134a599df2a582cf92e1e8f0c60c09177364 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Mon, 11 Mar 2024 09:47:20 +0800 Subject: [PATCH 02/25] lint: fix lint error of chrono and tokio Signed-off-by: Xynnn007 --- Cargo.toml | 1 + src/cosign/signature_layers.rs | 14 +++++-- .../certificate_verifier.rs | 10 +++-- src/crypto/certificate.rs | 37 +++++++++++++------ src/crypto/mod.rs | 10 +++-- 5 files changed, 50 insertions(+), 22 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index d401720339..177942b048 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -138,6 +138,7 @@ rstest = "0.18.1" serial_test = "3.0.0" tempfile = "3.3.0" testcontainers = "0.15" +tokio = { version = "1.17.0", features = ["rt", "rt-multi-thread"] } tracing-subscriber = { version = "0.3.9", features = ["env-filter"] } # cosign example mappings diff --git a/src/cosign/signature_layers.rs b/src/cosign/signature_layers.rs index 9934d36f08..8e6cce177f 100644 --- a/src/cosign/signature_layers.rs +++ b/src/cosign/signature_layers.rs @@ -876,7 +876,7 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ== use crate::cosign::bundle::Payload; use crate::crypto::tests::{generate_certificate, CertGenerationOptions}; use crate::crypto::SigningScheme; - use chrono::{Duration, Utc}; + use chrono::{TimeDelta, Utc}; impl TryFrom for crate::registry::Certificate { type Error = anyhow::Error; @@ -908,7 +908,9 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ== .try_into()?]; let cert_pool = CertificatePool::from_certificates(certs, []).unwrap(); - let integrated_time = Utc::now().checked_sub_signed(Duration::minutes(1)).unwrap(); + let integrated_time = Utc::now() + .checked_sub_signed(TimeDelta::try_minutes(1).unwrap()) + .unwrap(); let bundle = Bundle { signed_entry_timestamp: "not relevant".to_string(), payload: Payload { @@ -957,7 +959,9 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ== .try_into()?]; let cert_pool = CertificatePool::from_certificates(certs, []).unwrap(); - let integrated_time = Utc::now().checked_sub_signed(Duration::minutes(1)).unwrap(); + let integrated_time = Utc::now() + .checked_sub_signed(TimeDelta::try_minutes(1).unwrap()) + .unwrap(); let bundle = Bundle { signed_entry_timestamp: "not relevant".to_string(), payload: Payload { @@ -1005,7 +1009,9 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ== .try_into()?]; let cert_pool = CertificatePool::from_certificates(certs, []).unwrap(); - let integrated_time = Utc::now().checked_sub_signed(Duration::minutes(1)).unwrap(); + let integrated_time = Utc::now() + .checked_sub_signed(TimeDelta::try_minutes(1).unwrap()) + .unwrap(); let bundle = Bundle { signed_entry_timestamp: "not relevant".to_string(), payload: Payload { diff --git a/src/cosign/verification_constraint/certificate_verifier.rs b/src/cosign/verification_constraint/certificate_verifier.rs index 78d17f857c..7370836594 100644 --- a/src/cosign/verification_constraint/certificate_verifier.rs +++ b/src/cosign/verification_constraint/certificate_verifier.rs @@ -1,4 +1,4 @@ -use chrono::{DateTime, NaiveDateTime, Utc}; +use chrono::{DateTime, Utc}; use pkcs8::der::Decode; use std::convert::TryFrom; use tracing::warn; @@ -89,9 +89,11 @@ impl VerificationConstraint for CertificateVerifier { match &signature_layer.bundle { Some(bundle) => { let it = DateTime::::from_naive_utc_and_offset( - NaiveDateTime::from_timestamp_opt(bundle.payload.integrated_time, 0).ok_or( - SigstoreError::UnexpectedError("timestamp is not legal".into()), - )?, + DateTime::from_timestamp(bundle.payload.integrated_time, 0) + .ok_or(SigstoreError::UnexpectedError( + "timestamp is not legal".into(), + ))? + .naive_utc(), Utc, ); let not_before: DateTime = diff --git a/src/crypto/certificate.rs b/src/crypto/certificate.rs index 943df12923..c7c14e99f3 100644 --- a/src/crypto/certificate.rs +++ b/src/crypto/certificate.rs @@ -13,7 +13,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -use chrono::{DateTime, NaiveDateTime, Utc}; +use chrono::{DateTime, Utc}; use const_oid::db::rfc5912::ID_KP_CODE_SIGNING; use x509_cert::{ ext::pkix::{ExtendedKeyUsage, KeyUsage, KeyUsages, SubjectAltName}, @@ -92,8 +92,9 @@ pub(crate) fn verify_validity(certificate: &Certificate) -> Result<()> { fn verify_expiration(certificate: &Certificate, integrated_time: i64) -> Result<()> { let it = DateTime::::from_naive_utc_and_offset( - NaiveDateTime::from_timestamp_opt(integrated_time, 0) - .ok_or(SigstoreError::X509Error("timestamp is not legal".into()))?, + DateTime::from_timestamp(integrated_time, 0) + .ok_or(SigstoreError::X509Error("timestamp is not legal".into()))? + .naive_utc(), Utc, ); let validity = &certificate.tbs_certificate.validity; @@ -125,7 +126,7 @@ mod tests { use super::*; use crate::crypto::tests::*; - use chrono::{Duration, Utc}; + use chrono::{TimeDelta, Utc}; use x509_cert::der::Decode; #[test] @@ -238,8 +239,12 @@ mod tests { let issued_cert = generate_certificate( Some(&ca_data), CertGenerationOptions { - not_before: Utc::now().checked_add_signed(Duration::days(5)).unwrap(), - not_after: Utc::now().checked_add_signed(Duration::days(6)).unwrap(), + not_before: Utc::now() + .checked_add_signed(TimeDelta::try_days(5).unwrap()) + .unwrap(), + not_after: Utc::now() + .checked_add_signed(TimeDelta::try_days(6).unwrap()) + .unwrap(), ..Default::default() }, )?; @@ -266,8 +271,12 @@ mod tests { let issued_cert = generate_certificate( Some(&ca_data), CertGenerationOptions { - not_before: Utc::now().checked_sub_signed(Duration::days(1)).unwrap(), - not_after: Utc::now().checked_add_signed(Duration::days(1)).unwrap(), + not_before: Utc::now() + .checked_sub_signed(TimeDelta::try_days(1).unwrap()) + .unwrap(), + not_after: Utc::now() + .checked_add_signed(TimeDelta::try_days(1).unwrap()) + .unwrap(), ..Default::default() }, )?; @@ -284,13 +293,19 @@ mod tests { fn verify_cert_expiration_failure() -> anyhow::Result<()> { let ca_data = generate_certificate(None, CertGenerationOptions::default())?; - let integrated_time = Utc::now().checked_add_signed(Duration::days(5)).unwrap(); + let integrated_time = Utc::now() + .checked_add_signed(TimeDelta::try_days(5).unwrap()) + .unwrap(); let issued_cert = generate_certificate( Some(&ca_data), CertGenerationOptions { - not_before: Utc::now().checked_sub_signed(Duration::days(1)).unwrap(), - not_after: Utc::now().checked_add_signed(Duration::days(1)).unwrap(), + not_before: Utc::now() + .checked_sub_signed(TimeDelta::try_days(1).unwrap()) + .unwrap(), + not_after: Utc::now() + .checked_add_signed(TimeDelta::try_days(1).unwrap()) + .unwrap(), ..Default::default() }, )?; diff --git a/src/crypto/mod.rs b/src/crypto/mod.rs index c8a35e22bf..3db1461c7f 100644 --- a/src/crypto/mod.rs +++ b/src/crypto/mod.rs @@ -190,7 +190,7 @@ pub mod signing_key; #[cfg(test)] pub(crate) mod tests { - use chrono::{DateTime, Duration, Utc}; + use chrono::{DateTime, TimeDelta, Utc}; use openssl::asn1::{Asn1Integer, Asn1Time}; use openssl::bn::{BigNum, MsbOption}; use openssl::conf::{Conf, ConfMethod}; @@ -231,8 +231,12 @@ OSWS1X9vPavpiQOoTTGC0xX57OojUadxF1cdQmrsiReWg2Wn4FneJfa8xw== impl Default for CertGenerationOptions { fn default() -> Self { - let not_before = Utc::now().checked_sub_signed(Duration::days(1)).unwrap(); - let not_after = Utc::now().checked_add_signed(Duration::days(1)).unwrap(); + let not_before = Utc::now() + .checked_sub_signed(TimeDelta::try_days(1).unwrap()) + .unwrap(); + let not_after = Utc::now() + .checked_add_signed(TimeDelta::try_days(1).unwrap()) + .unwrap(); // Sigstore relies on NIST P-256 // NIST P-256 is a Weierstrass curve specified in FIPS 186-4: Digital Signature Standard (DSS): From aa112d68f250d1f34ad83d0410c0d10940721978 Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Mon, 26 Feb 2024 13:19:25 -0800 Subject: [PATCH 03/25] Moved the Repository trait and the ManualRepository struct out of 'tuf' feature flag: 'tuf' lacks support for wasm due to its dependencies. Signed-off-by: Tanner Gill --- Cargo.toml | 5 ++-- examples/cosign/verify/main.rs | 6 ++--- src/cosign/client_builder.rs | 2 +- src/lib.rs | 7 ++++-- src/repository/mod.rs | 46 ++++++++++++++++++++++++++++++++++ src/tuf/mod.rs | 32 +---------------------- 6 files changed, 59 insertions(+), 39 deletions(-) create mode 100644 src/repository/mod.rs diff --git a/Cargo.toml b/Cargo.toml index 369f531a75..9061960cb6 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -40,7 +40,8 @@ rekor-native-tls = ["reqwest/native-tls", "rekor"] rekor-rustls-tls = ["reqwest/rustls-tls", "rekor"] rekor = ["reqwest"] -tuf = ["tough", "regex"] +repository = [] +tuf = ["tough", "regex", "repository"] sign = [] @@ -56,7 +57,7 @@ cosign-rustls-tls = [ "cosign", "registry-rustls-tls", ] -cosign = [] +cosign = ["repository"] cert = [] registry-native-tls = ["oci-distribution/native-tls", "registry"] diff --git a/examples/cosign/verify/main.rs b/examples/cosign/verify/main.rs index fc687ba627..85be22b89c 100644 --- a/examples/cosign/verify/main.rs +++ b/examples/cosign/verify/main.rs @@ -110,7 +110,7 @@ struct Cli { async fn run_app( cli: &Cli, - frd: &dyn sigstore::tuf::Repository, + frd: &dyn sigstore::repository::Repository, ) -> anyhow::Result<(Vec, VerificationConstraintVec)> { // Note well: this a limitation deliberately introduced by this example. if cli.cert_email.is_some() && cli.cert_url.is_some() { @@ -228,7 +228,7 @@ async fn run_app( Ok((trusted_layers, verification_constraints)) } -async fn fulcio_and_rekor_data(cli: &Cli) -> anyhow::Result> { +async fn fulcio_and_rekor_data(cli: &Cli) -> anyhow::Result> { if cli.use_sigstore_tuf_data { let repo: sigstore::errors::Result = spawn_blocking(|| { info!("Downloading data from Sigstore TUF repository"); @@ -240,7 +240,7 @@ async fn fulcio_and_rekor_data(cli: &Cli) -> anyhow::Result crate::errors::Result>; + fn rekor_keys(&self) -> crate::errors::Result>; +} + +/// A `ManualRepository` is a [Repository] with out-of-band trust materials. +/// As it does not establish a trust root with TUF, users must initialize its materials themselves. +#[derive(Debug, Default)] +pub struct ManualRepository<'a> { + pub fulcio_certs: Option>>, + pub rekor_key: Option>, +} + +impl Repository for ManualRepository<'_> { + fn fulcio_certs(&self) -> crate::errors::Result> { + Ok(match &self.fulcio_certs { + Some(certs) => certs.clone(), + None => Vec::new(), + }) + } + + fn rekor_keys(&self) -> crate::errors::Result> { + Ok(match &self.rekor_key { + Some(key) => vec![&key[..]], + None => Vec::new(), + }) + } +} \ No newline at end of file diff --git a/src/tuf/mod.rs b/src/tuf/mod.rs index e695cc5044..9f3d52ceb6 100644 --- a/src/tuf/mod.rs +++ b/src/tuf/mod.rs @@ -49,36 +49,6 @@ use self::trustroot::{CertificateAuthority, TimeRange, TransparencyLogInstance, use super::errors::{Result, SigstoreError}; -/// A `Repository` owns all key material necessary for establishing a root of trust. -pub trait Repository { - fn fulcio_certs(&self) -> Result>; - fn rekor_keys(&self) -> Result>; -} - -/// A `ManualRepository` is a [Repository] with out-of-band trust materials. -/// As it does not establish a trust root with TUF, users must initialize its materials themselves. -#[derive(Debug, Default)] -pub struct ManualRepository<'a> { - pub fulcio_certs: Option>>, - pub rekor_key: Option>, -} - -impl Repository for ManualRepository<'_> { - fn fulcio_certs(&self) -> Result> { - Ok(match &self.fulcio_certs { - Some(certs) => certs.clone(), - None => Vec::new(), - }) - } - - fn rekor_keys(&self) -> Result> { - Ok(match &self.rekor_key { - Some(key) => vec![&key[..]], - None => Vec::new(), - }) - } -} - /// Securely fetches Rekor public key and Fulcio certificates from Sigstore's TUF repository. #[derive(Debug)] pub struct SigstoreRepository { @@ -177,7 +147,7 @@ impl SigstoreRepository { } } -impl Repository for SigstoreRepository { +impl crate::repository::Repository for SigstoreRepository { /// Fetch Fulcio certificates from the given TUF repository or reuse /// the local cache if its contents are not outdated. /// From 66dc4dff8e809c82884d6b2e385d8e277d69e6e6 Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Mon, 26 Feb 2024 13:20:12 -0800 Subject: [PATCH 04/25] Re-exported Repository trait and ManualRepository struct out of 'tuf' mod to preserve backwards compatibility. Signed-off-by: Tanner Gill --- src/lib.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/lib.rs b/src/lib.rs index e7881173a9..bb6e7417e6 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -259,6 +259,8 @@ #![forbid(unsafe_code)] #![warn(clippy::unwrap_used, clippy::panic)] +pub use repository::{Repository, ManualRepository}; + pub mod crypto; #[cfg(feature = "mock-client")] From 860465b02e841ae7d6644b1e3bc1db56e46feee4 Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Tue, 27 Feb 2024 09:02:55 -0800 Subject: [PATCH 05/25] Corrected previous commit: had previously re-exported from the wrong place. Signed-off-by: Tanner Gill --- src/lib.rs | 2 -- src/tuf/mod.rs | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index bb6e7417e6..e7881173a9 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -259,8 +259,6 @@ #![forbid(unsafe_code)] #![warn(clippy::unwrap_used, clippy::panic)] -pub use repository::{Repository, ManualRepository}; - pub mod crypto; #[cfg(feature = "mock-client")] diff --git a/src/tuf/mod.rs b/src/tuf/mod.rs index 9f3d52ceb6..1e9101fd21 100644 --- a/src/tuf/mod.rs +++ b/src/tuf/mod.rs @@ -49,6 +49,8 @@ use self::trustroot::{CertificateAuthority, TimeRange, TransparencyLogInstance, use super::errors::{Result, SigstoreError}; +pub use crate::repository::{Repository, ManualRepository}; + /// Securely fetches Rekor public key and Fulcio certificates from Sigstore's TUF repository. #[derive(Debug)] pub struct SigstoreRepository { From c2ba30e4b1e7b211561f9e8a2ce11032c5fa1706 Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Tue, 27 Feb 2024 09:04:18 -0800 Subject: [PATCH 06/25] Corrected copyright date: 2021 -> 2024 Signed-off-by: Tanner Gill --- src/repository/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/repository/mod.rs b/src/repository/mod.rs index da69270625..518c831e1b 100644 --- a/src/repository/mod.rs +++ b/src/repository/mod.rs @@ -1,5 +1,5 @@ // -// Copyright 2021 The Sigstore Authors. +// Copyright 2024 The Sigstore Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. From 57f7bd2370b5f3a5b34e1899098d88cb3dd80d86 Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Tue, 27 Feb 2024 09:08:18 -0800 Subject: [PATCH 07/25] Removed 'repository' feature flag: 'repository' modual is no longer hidden behind a feature flag. Signed-off-by: Tanner Gill --- Cargo.toml | 5 ++--- src/lib.rs | 6 ++---- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 9061960cb6..369f531a75 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -40,8 +40,7 @@ rekor-native-tls = ["reqwest/native-tls", "rekor"] rekor-rustls-tls = ["reqwest/rustls-tls", "rekor"] rekor = ["reqwest"] -repository = [] -tuf = ["tough", "regex", "repository"] +tuf = ["tough", "regex"] sign = [] @@ -57,7 +56,7 @@ cosign-rustls-tls = [ "cosign", "registry-rustls-tls", ] -cosign = ["repository"] +cosign = [] cert = [] registry-native-tls = ["oci-distribution/native-tls", "registry"] diff --git a/src/lib.rs b/src/lib.rs index e7881173a9..e8b9a6ab9a 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -260,6 +260,7 @@ #![warn(clippy::unwrap_used, clippy::panic)] pub mod crypto; +pub mod repository; #[cfg(feature = "mock-client")] mod mock_client; @@ -281,10 +282,7 @@ pub mod registry; #[cfg(feature = "rekor")] pub mod rekor; -#[cfg(feature = "repository")] -pub mod repository; - -#[cfg(all(feature = "tuf", feature = "repository"))] +#[cfg(all(feature = "tuf"))] pub mod tuf; // Don't export yet -- these types should only be useful internally. From e737da2394d146e0860faf84722843de329ac5f4 Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Tue, 27 Feb 2024 09:10:12 -0800 Subject: [PATCH 08/25] Renamed 'tuf' feature flag to 'sigstore-repository' Signed-off-by: Tanner Gill --- Cargo.toml | 4 ++-- src/errors.rs | 2 +- src/lib.rs | 2 +- src/rekor/models/proposed_entry.rs | 2 +- src/rekor/models/search_index_public_key.rs | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 369f531a75..f4fc1a4c10 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -9,7 +9,7 @@ readme = "README.md" repository = "https://github.com/sigstore/sigstore-rs" [features] -default = ["full-native-tls", "cached-client", "tuf", "sign"] +default = ["full-native-tls", "cached-client", "sigstore-repository", "sign"] wasm = ["getrandom/js"] full-native-tls = [ @@ -40,7 +40,7 @@ rekor-native-tls = ["reqwest/native-tls", "rekor"] rekor-rustls-tls = ["reqwest/rustls-tls", "rekor"] rekor = ["reqwest"] -tuf = ["tough", "regex"] +sigstore-repository = ["tough", "regex"] sign = [] diff --git a/src/errors.rs b/src/errors.rs index 22b87e95cb..fdc9c7e03f 100644 --- a/src/errors.rs +++ b/src/errors.rs @@ -161,7 +161,7 @@ pub enum SigstoreError { #[error("No Signature Layer passed verification")] SigstoreNoVerifiedLayer, - #[cfg(feature = "tuf")] + #[cfg(feature = "sigstore-repository")] #[error(transparent)] TufError(#[from] Box), diff --git a/src/lib.rs b/src/lib.rs index e8b9a6ab9a..e09b90146d 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -282,7 +282,7 @@ pub mod registry; #[cfg(feature = "rekor")] pub mod rekor; -#[cfg(all(feature = "tuf"))] +#[cfg(all(feature = "sigstore-repository"))] pub mod tuf; // Don't export yet -- these types should only be useful internally. diff --git a/src/rekor/models/proposed_entry.rs b/src/rekor/models/proposed_entry.rs index a395d49209..5d587b5c0b 100644 --- a/src/rekor/models/proposed_entry.rs +++ b/src/rekor/models/proposed_entry.rs @@ -68,7 +68,7 @@ pub enum ProposedEntry { #[serde(rename = "spec")] spec: serde_json::Value, }, - #[serde(rename = "tuf")] + #[serde(rename = "sigstore-repository")] Tuf { #[serde(rename = "apiVersion")] api_version: String, diff --git a/src/rekor/models/search_index_public_key.rs b/src/rekor/models/search_index_public_key.rs index 7f2fb3a038..06ddcc2ecd 100644 --- a/src/rekor/models/search_index_public_key.rs +++ b/src/rekor/models/search_index_public_key.rs @@ -41,7 +41,7 @@ pub enum Format { Minisign, #[serde(rename = "ssh")] Ssh, - #[serde(rename = "tuf")] + #[serde(rename = "sigstore-repository")] Tuf, } From 912f733f729c736470759d9aaaacb0f247cc9e50 Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Wed, 28 Feb 2024 09:13:07 -0800 Subject: [PATCH 09/25] Revert "Renamed 'tuf' feature flag to 'sigstore-repository'" This reverts commit 1e6a059f69d80bf7cd4f34105e40c294f937b9f0. Signed-off-by: Tanner Gill --- Cargo.toml | 4 ++-- src/errors.rs | 2 +- src/lib.rs | 2 +- src/rekor/models/proposed_entry.rs | 2 +- src/rekor/models/search_index_public_key.rs | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index f4fc1a4c10..369f531a75 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -9,7 +9,7 @@ readme = "README.md" repository = "https://github.com/sigstore/sigstore-rs" [features] -default = ["full-native-tls", "cached-client", "sigstore-repository", "sign"] +default = ["full-native-tls", "cached-client", "tuf", "sign"] wasm = ["getrandom/js"] full-native-tls = [ @@ -40,7 +40,7 @@ rekor-native-tls = ["reqwest/native-tls", "rekor"] rekor-rustls-tls = ["reqwest/rustls-tls", "rekor"] rekor = ["reqwest"] -sigstore-repository = ["tough", "regex"] +tuf = ["tough", "regex"] sign = [] diff --git a/src/errors.rs b/src/errors.rs index fdc9c7e03f..22b87e95cb 100644 --- a/src/errors.rs +++ b/src/errors.rs @@ -161,7 +161,7 @@ pub enum SigstoreError { #[error("No Signature Layer passed verification")] SigstoreNoVerifiedLayer, - #[cfg(feature = "sigstore-repository")] + #[cfg(feature = "tuf")] #[error(transparent)] TufError(#[from] Box), diff --git a/src/lib.rs b/src/lib.rs index e09b90146d..e8b9a6ab9a 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -282,7 +282,7 @@ pub mod registry; #[cfg(feature = "rekor")] pub mod rekor; -#[cfg(all(feature = "sigstore-repository"))] +#[cfg(all(feature = "tuf"))] pub mod tuf; // Don't export yet -- these types should only be useful internally. diff --git a/src/rekor/models/proposed_entry.rs b/src/rekor/models/proposed_entry.rs index 5d587b5c0b..a395d49209 100644 --- a/src/rekor/models/proposed_entry.rs +++ b/src/rekor/models/proposed_entry.rs @@ -68,7 +68,7 @@ pub enum ProposedEntry { #[serde(rename = "spec")] spec: serde_json::Value, }, - #[serde(rename = "sigstore-repository")] + #[serde(rename = "tuf")] Tuf { #[serde(rename = "apiVersion")] api_version: String, diff --git a/src/rekor/models/search_index_public_key.rs b/src/rekor/models/search_index_public_key.rs index 06ddcc2ecd..7f2fb3a038 100644 --- a/src/rekor/models/search_index_public_key.rs +++ b/src/rekor/models/search_index_public_key.rs @@ -41,7 +41,7 @@ pub enum Format { Minisign, #[serde(rename = "ssh")] Ssh, - #[serde(rename = "sigstore-repository")] + #[serde(rename = "tuf")] Tuf, } From 445f295a94a1f1da25c2fd07306d9ac08b5cb0b3 Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Wed, 28 Feb 2024 09:18:33 -0800 Subject: [PATCH 10/25] Renamed 'repository' modual to 'repo' Signed-off-by: Tanner Gill --- examples/cosign/verify/main.rs | 6 +++--- src/cosign/client_builder.rs | 2 +- src/lib.rs | 4 ++-- src/{repository => repo}/mod.rs | 0 src/tuf/mod.rs | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) rename src/{repository => repo}/mod.rs (100%) diff --git a/examples/cosign/verify/main.rs b/examples/cosign/verify/main.rs index 85be22b89c..6b09c8eed3 100644 --- a/examples/cosign/verify/main.rs +++ b/examples/cosign/verify/main.rs @@ -110,7 +110,7 @@ struct Cli { async fn run_app( cli: &Cli, - frd: &dyn sigstore::repository::Repository, + frd: &dyn sigstore::repo::Repository, ) -> anyhow::Result<(Vec, VerificationConstraintVec)> { // Note well: this a limitation deliberately introduced by this example. if cli.cert_email.is_some() && cli.cert_url.is_some() { @@ -228,7 +228,7 @@ async fn run_app( Ok((trusted_layers, verification_constraints)) } -async fn fulcio_and_rekor_data(cli: &Cli) -> anyhow::Result> { +async fn fulcio_and_rekor_data(cli: &Cli) -> anyhow::Result> { if cli.use_sigstore_tuf_data { let repo: sigstore::errors::Result = spawn_blocking(|| { info!("Downloading data from Sigstore TUF repository"); @@ -240,7 +240,7 @@ async fn fulcio_and_rekor_data(cli: &Cli) -> anyhow::Result Date: Wed, 28 Feb 2024 09:20:01 -0800 Subject: [PATCH 11/25] Removed left over 'all' cfg attr, left behind from a revert. Signed-off-by: Tanner Gill --- src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib.rs b/src/lib.rs index 7b61377181..c7a83062a6 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -282,7 +282,7 @@ pub mod registry; #[cfg(feature = "rekor")] pub mod rekor; -#[cfg(all(feature = "tuf"))] +#[cfg(feature = "tuf")] pub mod tuf; // Don't export yet -- these types should only be useful internally. From d492e861874515c503e22cff3e19a1b3fc097c12 Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Fri, 1 Mar 2024 10:23:34 -0800 Subject: [PATCH 12/25] Ran cargo fmt: set up Rust Rover recently and negelected to enable that on save. Signed-off-by: Tanner Gill --- src/repo/mod.rs | 2 +- src/tuf/mod.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/repo/mod.rs b/src/repo/mod.rs index 518c831e1b..ea8ba3b784 100644 --- a/src/repo/mod.rs +++ b/src/repo/mod.rs @@ -43,4 +43,4 @@ impl Repository for ManualRepository<'_> { None => Vec::new(), }) } -} \ No newline at end of file +} diff --git a/src/tuf/mod.rs b/src/tuf/mod.rs index bc67f1e735..b40de77018 100644 --- a/src/tuf/mod.rs +++ b/src/tuf/mod.rs @@ -49,7 +49,7 @@ use self::trustroot::{CertificateAuthority, TimeRange, TransparencyLogInstance, use super::errors::{Result, SigstoreError}; -pub use crate::repo::{Repository, ManualRepository}; +pub use crate::repo::{ManualRepository, Repository}; /// Securely fetches Rekor public key and Fulcio certificates from Sigstore's TUF repository. #[derive(Debug)] From 07973b26a814c63e01b9ca502c75a1acc6eb8bc6 Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Fri, 1 Mar 2024 12:55:56 -0800 Subject: [PATCH 13/25] Renames: mod repo -> mod trust. trait Repository -> trait TrustRoot. struct ManualRepository -> ManualTrustRoot. Signed-off-by: Tanner Gill --- examples/cosign/verify/main.rs | 2 +- src/cosign/client_builder.rs | 10 +++++----- src/cosign/mod.rs | 4 ++-- src/lib.rs | 6 +++--- src/{repo => trust}/mod.rs | 10 +++++----- src/tuf/mod.rs | 6 +++--- 6 files changed, 19 insertions(+), 19 deletions(-) rename src/{repo => trust}/mod.rs (84%) diff --git a/examples/cosign/verify/main.rs b/examples/cosign/verify/main.rs index 6b09c8eed3..939c6f35b7 100644 --- a/examples/cosign/verify/main.rs +++ b/examples/cosign/verify/main.rs @@ -240,7 +240,7 @@ async fn fulcio_and_rekor_data(cli: &Cli) -> anyhow::Result Note well: the [`tuf`](crate::tuf) module provides helper structs and methods /// > to obtain this data from the official TUF repository of the Sigstore project. @@ -36,7 +36,7 @@ use crate::repo::Repository; /// ## Fulcio integration /// /// Fulcio integration can be enabled by specifying Fulcio's certificate. -/// This can be provided via a [`crate::tuf::ManualRepository`]. +/// This can be provided via a [`crate::tuf::ManualTrustRoot`]. /// /// > Note well: the [`tuf`](crate::tuf) module provides helper structs and methods /// > to obtain this data from the official TUF repository of the Sigstore project. @@ -71,8 +71,8 @@ impl<'a> ClientBuilder<'a> { /// Optional - Configures the roots of trust. /// /// Enables Fulcio and Rekor integration with the given trust repository. - /// See [crate::tuf::Repository] for more details on trust repositories. - pub fn with_trust_repository(mut self, repo: &'a R) -> Result { + /// See [crate::tuf::TrustRoot] for more details on trust repositories. + pub fn with_trust_repository(mut self, repo: &'a R) -> Result { let rekor_keys = repo.rekor_keys()?; if !rekor_keys.is_empty() { self.rekor_pub_key = Some(rekor_keys[0]); diff --git a/src/cosign/mod.rs b/src/cosign/mod.rs index 03d3c0e52d..ec44fc6724 100644 --- a/src/cosign/mod.rs +++ b/src/cosign/mod.rs @@ -102,9 +102,9 @@ pub trait CosignCapabilities { /// must be satisfied: /// /// * The [`sigstore::cosign::Client`](crate::cosign::client::Client) must - /// have been created with Rekor integration enabled (see [`crate::tuf::ManualRepository`]) + /// have been created with Rekor integration enabled (see [`crate::tuf::ManualTrustRoot`]) /// * The [`sigstore::cosign::Client`](crate::cosign::client::Client) must - /// have been created with Fulcio integration enabled (see [`crate::tuf::ManualRepository]) + /// have been created with Fulcio integration enabled (see [`crate::tuf::ManualTrustRoot]) /// * The layer must include a bundle produced by Rekor /// /// > Note well: the [`tuf`](crate::tuf) module provides helper structs and methods diff --git a/src/lib.rs b/src/lib.rs index c7a83062a6..3891d0b889 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -58,7 +58,7 @@ //! //! Verify the signature of a container image/oci artifact: //! -//! ```rust,no_run +//!```rust,no_run //! use crate::sigstore::cosign::{ //! CosignCapabilities, //! verify_constraints, @@ -92,7 +92,7 @@ //! data: fulcio_cert_data //! }; //! -//! let mut repo = sigstore::repo::ManualRepository { +//! let mut repo = sigstore::trust::ManualTrustRoot { //! fulcio_certs: Some(vec![fulcio_cert.try_into().unwrap()]), //! rekor_key: Some(rekor_pub_key), //! ..Default::default() @@ -260,7 +260,7 @@ #![warn(clippy::unwrap_used, clippy::panic)] pub mod crypto; -pub mod repo; +pub mod trust; #[cfg(feature = "mock-client")] mod mock_client; diff --git a/src/repo/mod.rs b/src/trust/mod.rs similarity index 84% rename from src/repo/mod.rs rename to src/trust/mod.rs index ea8ba3b784..61a5504023 100644 --- a/src/repo/mod.rs +++ b/src/trust/mod.rs @@ -15,21 +15,21 @@ use webpki::types::CertificateDer; -/// A `Repository` owns all key material necessary for establishing a root of trust. -pub trait Repository { +/// A `TrustRoot` owns all key material necessary for establishing a root of trust. +pub trait TrustRoot { fn fulcio_certs(&self) -> crate::errors::Result>; fn rekor_keys(&self) -> crate::errors::Result>; } -/// A `ManualRepository` is a [Repository] with out-of-band trust materials. +/// A `ManualTrustRoot` is a [TrustRoot] with out-of-band trust materials. /// As it does not establish a trust root with TUF, users must initialize its materials themselves. #[derive(Debug, Default)] -pub struct ManualRepository<'a> { +pub struct ManualTrustRoot<'a> { pub fulcio_certs: Option>>, pub rekor_key: Option>, } -impl Repository for ManualRepository<'_> { +impl TrustRoot for ManualTrustRoot<'_> { fn fulcio_certs(&self) -> crate::errors::Result> { Ok(match &self.fulcio_certs { Some(certs) => certs.clone(), diff --git a/src/tuf/mod.rs b/src/tuf/mod.rs index b40de77018..70221ae7b7 100644 --- a/src/tuf/mod.rs +++ b/src/tuf/mod.rs @@ -49,7 +49,7 @@ use self::trustroot::{CertificateAuthority, TimeRange, TransparencyLogInstance, use super::errors::{Result, SigstoreError}; -pub use crate::repo::{ManualRepository, Repository}; +pub use crate::trust::{ManualTrustRoot, TrustRoot}; /// Securely fetches Rekor public key and Fulcio certificates from Sigstore's TUF repository. #[derive(Debug)] @@ -108,7 +108,7 @@ impl SigstoreRepository { /// Prefetches trust materials. /// - /// [Repository::fulcio_certs()] and [Repository::rekor_keys()] on [SigstoreRepository] lazily + /// [TrustRoot::fulcio_certs()] and [TrustRoot::rekor_keys()] on [SigstoreRepository] lazily /// fetches the requested data, which is problematic for async callers. Those callers should /// use this method to fetch the trust root ahead of time. /// @@ -149,7 +149,7 @@ impl SigstoreRepository { } } -impl crate::repo::Repository for SigstoreRepository { +impl crate::trust::TrustRoot for SigstoreRepository { /// Fetch Fulcio certificates from the given TUF repository or reuse /// the local cache if its contents are not outdated. /// From f26aacc389283c9076b755d64ccc799515e9d8f1 Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Fri, 1 Mar 2024 13:01:43 -0800 Subject: [PATCH 14/25] Renames: mod tuf -> mod sigstore Signed-off-by: Tanner Gill --- examples/cosign/verify/main.rs | 2 +- src/cosign/client_builder.rs | 10 +++++----- src/cosign/mod.rs | 6 +++--- src/lib.rs | 4 ++-- src/{tuf => sigstore}/constants.rs | 0 src/{tuf => sigstore}/mod.rs | 4 ++-- src/{tuf => sigstore}/repository_helper.rs | 0 src/{tuf => sigstore}/trustroot.rs | 0 8 files changed, 13 insertions(+), 13 deletions(-) rename src/{tuf => sigstore}/constants.rs (100%) rename src/{tuf => sigstore}/mod.rs (99%) rename src/{tuf => sigstore}/repository_helper.rs (100%) rename src/{tuf => sigstore}/trustroot.rs (100%) diff --git a/examples/cosign/verify/main.rs b/examples/cosign/verify/main.rs index 939c6f35b7..4cde5287d9 100644 --- a/examples/cosign/verify/main.rs +++ b/examples/cosign/verify/main.rs @@ -22,7 +22,7 @@ use sigstore::cosign::{CosignCapabilities, SignatureLayer}; use sigstore::crypto::SigningScheme; use sigstore::errors::SigstoreVerifyConstraintsError; use sigstore::registry::{ClientConfig, ClientProtocol, OciReference}; -use sigstore::tuf::SigstoreRepository; +use sigstore::sigstore::SigstoreRepository; use std::boxed::Box; use std::convert::TryFrom; use std::time::Instant; diff --git a/src/cosign/client_builder.rs b/src/cosign/client_builder.rs index 08cbf8effc..2e7d494082 100644 --- a/src/cosign/client_builder.rs +++ b/src/cosign/client_builder.rs @@ -28,17 +28,17 @@ use crate::trust::TrustRoot; /// ## Rekor integration /// /// Rekor integration can be enabled by specifying Rekor's public key. -/// This can be provided via a [`crate::tuf::ManualTrustRoot`]. +/// This can be provided via a [`crate::sigstore::ManualTrustRoot`]. /// -/// > Note well: the [`tuf`](crate::tuf) module provides helper structs and methods +/// > Note well: the [`sigstore`](crate::sigstore) module provides helper structs and methods /// > to obtain this data from the official TUF repository of the Sigstore project. /// /// ## Fulcio integration /// /// Fulcio integration can be enabled by specifying Fulcio's certificate. -/// This can be provided via a [`crate::tuf::ManualTrustRoot`]. +/// This can be provided via a [`crate::sigstore::ManualTrustRoot`]. /// -/// > Note well: the [`tuf`](crate::tuf) module provides helper structs and methods +/// > Note well: the [`sigstore`](crate::sigstore) module provides helper structs and methods /// > to obtain this data from the official TUF repository of the Sigstore project. /// /// ## Registry caching @@ -71,7 +71,7 @@ impl<'a> ClientBuilder<'a> { /// Optional - Configures the roots of trust. /// /// Enables Fulcio and Rekor integration with the given trust repository. - /// See [crate::tuf::TrustRoot] for more details on trust repositories. + /// See [crate::sigstore::TrustRoot] for more details on trust repositories. pub fn with_trust_repository(mut self, repo: &'a R) -> Result { let rekor_keys = repo.rekor_keys()?; if !rekor_keys.is_empty() { diff --git a/src/cosign/mod.rs b/src/cosign/mod.rs index ec44fc6724..4f560b3530 100644 --- a/src/cosign/mod.rs +++ b/src/cosign/mod.rs @@ -102,12 +102,12 @@ pub trait CosignCapabilities { /// must be satisfied: /// /// * The [`sigstore::cosign::Client`](crate::cosign::client::Client) must - /// have been created with Rekor integration enabled (see [`crate::tuf::ManualTrustRoot`]) + /// have been created with Rekor integration enabled (see [`crate::sigstore::ManualTrustRoot`]) /// * The [`sigstore::cosign::Client`](crate::cosign::client::Client) must - /// have been created with Fulcio integration enabled (see [`crate::tuf::ManualTrustRoot]) + /// have been created with Fulcio integration enabled (see [`crate::sigstore::ManualTrustRoot]) /// * The layer must include a bundle produced by Rekor /// - /// > Note well: the [`tuf`](crate::tuf) module provides helper structs and methods + /// > Note well: the [`sigstore`](crate::sigstore) module provides helper structs and methods /// > to obtain this data from the official TUF repository of the Sigstore project. /// /// When the embedded certificate cannot be verified, [`SignatureLayer::certificate_signature`] diff --git a/src/lib.rs b/src/lib.rs index 3891d0b889..34ae6bf6e4 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -228,7 +228,7 @@ //! requires the following data to work: Fulcio's certificate and Rekor's public key. //! //! These files are safely distributed by the Sigstore project via a TUF repository. -//! The [`sigstore::tuf`](crate::tuf) module provides the helper structures to deal +//! The [`sigstore::sigstore`](crate::sigstore) module provides the helper structures to deal //! with it. //! //! # Feature Flags @@ -283,7 +283,7 @@ pub mod registry; pub mod rekor; #[cfg(feature = "tuf")] -pub mod tuf; +pub mod sigstore; // Don't export yet -- these types should only be useful internally. mod bundle; diff --git a/src/tuf/constants.rs b/src/sigstore/constants.rs similarity index 100% rename from src/tuf/constants.rs rename to src/sigstore/constants.rs diff --git a/src/tuf/mod.rs b/src/sigstore/mod.rs similarity index 99% rename from src/tuf/mod.rs rename to src/sigstore/mod.rs index 70221ae7b7..2452c45799 100644 --- a/src/tuf/mod.rs +++ b/src/sigstore/mod.rs @@ -27,7 +27,7 @@ //! method. //! //! ```rust,no_run -//! use sigstore::tuf::SigstoreRepository; +//! use sigstore::sigstore::SigstoreRepository; //! let repo = SigstoreRepository::new(None).unwrap().prefetch().unwrap(); //! ``` use std::{ @@ -114,7 +114,7 @@ impl SigstoreRepository { /// /// ```rust /// # use tokio::task::spawn_blocking; - /// # use sigstore::tuf::SigstoreRepository; + /// # use sigstore::sigstore::SigstoreRepository; /// # use sigstore::errors::Result; /// # #[tokio::main] /// # async fn main() -> std::result::Result<(), anyhow::Error> { diff --git a/src/tuf/repository_helper.rs b/src/sigstore/repository_helper.rs similarity index 100% rename from src/tuf/repository_helper.rs rename to src/sigstore/repository_helper.rs diff --git a/src/tuf/trustroot.rs b/src/sigstore/trustroot.rs similarity index 100% rename from src/tuf/trustroot.rs rename to src/sigstore/trustroot.rs From b07e2c21bfa363d34287d61c321fcf88368ba6c0 Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Fri, 1 Mar 2024 13:09:03 -0800 Subject: [PATCH 15/25] Moved: sigstore module (previously tuf module) moved into sub-module of 'trust' Signed-off-by: Tanner Gill --- src/lib.rs | 3 --- src/trust/mod.rs | 3 +++ src/{ => trust}/sigstore/constants.rs | 0 src/{ => trust}/sigstore/mod.rs | 6 +++--- src/{ => trust}/sigstore/repository_helper.rs | 0 src/{ => trust}/sigstore/trustroot.rs | 0 6 files changed, 6 insertions(+), 6 deletions(-) rename src/{ => trust}/sigstore/constants.rs (100%) rename src/{ => trust}/sigstore/mod.rs (98%) rename src/{ => trust}/sigstore/repository_helper.rs (100%) rename src/{ => trust}/sigstore/trustroot.rs (100%) diff --git a/src/lib.rs b/src/lib.rs index 34ae6bf6e4..aca41eb315 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -282,9 +282,6 @@ pub mod registry; #[cfg(feature = "rekor")] pub mod rekor; -#[cfg(feature = "tuf")] -pub mod sigstore; - // Don't export yet -- these types should only be useful internally. mod bundle; pub use bundle::Bundle; diff --git a/src/trust/mod.rs b/src/trust/mod.rs index 61a5504023..66d65d903d 100644 --- a/src/trust/mod.rs +++ b/src/trust/mod.rs @@ -15,6 +15,9 @@ use webpki::types::CertificateDer; +#[cfg(feature = "tuf")] +pub mod sigstore; + /// A `TrustRoot` owns all key material necessary for establishing a root of trust. pub trait TrustRoot { fn fulcio_certs(&self) -> crate::errors::Result>; diff --git a/src/sigstore/constants.rs b/src/trust/sigstore/constants.rs similarity index 100% rename from src/sigstore/constants.rs rename to src/trust/sigstore/constants.rs diff --git a/src/sigstore/mod.rs b/src/trust/sigstore/mod.rs similarity index 98% rename from src/sigstore/mod.rs rename to src/trust/sigstore/mod.rs index 2452c45799..3a7a247c12 100644 --- a/src/sigstore/mod.rs +++ b/src/trust/sigstore/mod.rs @@ -27,7 +27,7 @@ //! method. //! //! ```rust,no_run -//! use sigstore::sigstore::SigstoreRepository; +//! use sigstore::trust::sigstore::SigstoreRepository; //! let repo = SigstoreRepository::new(None).unwrap().prefetch().unwrap(); //! ``` use std::{ @@ -47,7 +47,7 @@ use webpki::types::CertificateDer; use self::trustroot::{CertificateAuthority, TimeRange, TransparencyLogInstance, TrustedRoot}; -use super::errors::{Result, SigstoreError}; +use crate::errors::{Result, SigstoreError}; pub use crate::trust::{ManualTrustRoot, TrustRoot}; @@ -114,7 +114,7 @@ impl SigstoreRepository { /// /// ```rust /// # use tokio::task::spawn_blocking; - /// # use sigstore::sigstore::SigstoreRepository; + /// # use sigstore::trust::sigstore::SigstoreRepository; /// # use sigstore::errors::Result; /// # #[tokio::main] /// # async fn main() -> std::result::Result<(), anyhow::Error> { diff --git a/src/sigstore/repository_helper.rs b/src/trust/sigstore/repository_helper.rs similarity index 100% rename from src/sigstore/repository_helper.rs rename to src/trust/sigstore/repository_helper.rs diff --git a/src/sigstore/trustroot.rs b/src/trust/sigstore/trustroot.rs similarity index 100% rename from src/sigstore/trustroot.rs rename to src/trust/sigstore/trustroot.rs From 03643d586d46135cfe945e87a918511b2217e951 Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Fri, 1 Mar 2024 13:18:11 -0800 Subject: [PATCH 16/25] Renamed impacted types in /examples Signed-off-by: Tanner Gill --- examples/cosign/verify/main.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/cosign/verify/main.rs b/examples/cosign/verify/main.rs index 4cde5287d9..aae38d629d 100644 --- a/examples/cosign/verify/main.rs +++ b/examples/cosign/verify/main.rs @@ -22,7 +22,7 @@ use sigstore::cosign::{CosignCapabilities, SignatureLayer}; use sigstore::crypto::SigningScheme; use sigstore::errors::SigstoreVerifyConstraintsError; use sigstore::registry::{ClientConfig, ClientProtocol, OciReference}; -use sigstore::sigstore::SigstoreRepository; +use sigstore::trust::sigstore::SigstoreRepository; use std::boxed::Box; use std::convert::TryFrom; use std::time::Instant; @@ -110,7 +110,7 @@ struct Cli { async fn run_app( cli: &Cli, - frd: &dyn sigstore::repo::Repository, + frd: &dyn sigstore::trust::TrustRoot, ) -> anyhow::Result<(Vec, VerificationConstraintVec)> { // Note well: this a limitation deliberately introduced by this example. if cli.cert_email.is_some() && cli.cert_url.is_some() { @@ -228,7 +228,7 @@ async fn run_app( Ok((trusted_layers, verification_constraints)) } -async fn fulcio_and_rekor_data(cli: &Cli) -> anyhow::Result> { +async fn fulcio_and_rekor_data(cli: &Cli) -> anyhow::Result> { if cli.use_sigstore_tuf_data { let repo: sigstore::errors::Result = spawn_blocking(|| { info!("Downloading data from Sigstore TUF repository"); From 406a5744888751bbe8e287519425661c1b648866 Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Fri, 1 Mar 2024 13:20:48 -0800 Subject: [PATCH 17/25] Renames: SigstoreRespository -> SigstoreTrustRoot Signed-off-by: Tanner Gill --- examples/cosign/verify/main.rs | 6 +++--- src/trust/sigstore/mod.rs | 22 +++++++++++----------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/examples/cosign/verify/main.rs b/examples/cosign/verify/main.rs index aae38d629d..081decd5f2 100644 --- a/examples/cosign/verify/main.rs +++ b/examples/cosign/verify/main.rs @@ -22,7 +22,7 @@ use sigstore::cosign::{CosignCapabilities, SignatureLayer}; use sigstore::crypto::SigningScheme; use sigstore::errors::SigstoreVerifyConstraintsError; use sigstore::registry::{ClientConfig, ClientProtocol, OciReference}; -use sigstore::trust::sigstore::SigstoreRepository; +use sigstore::trust::sigstore::SigstoreTrustRoot; use std::boxed::Box; use std::convert::TryFrom; use std::time::Instant; @@ -230,9 +230,9 @@ async fn run_app( async fn fulcio_and_rekor_data(cli: &Cli) -> anyhow::Result> { if cli.use_sigstore_tuf_data { - let repo: sigstore::errors::Result = spawn_blocking(|| { + let repo: sigstore::errors::Result = spawn_blocking(|| { info!("Downloading data from Sigstore TUF repository"); - SigstoreRepository::new(None)?.prefetch() + SigstoreTrustRoot::new(None)?.prefetch() }) .await .map_err(|e| anyhow!("Error spawning blocking task inside of tokio: {}", e))?; diff --git a/src/trust/sigstore/mod.rs b/src/trust/sigstore/mod.rs index 3a7a247c12..ba25967edb 100644 --- a/src/trust/sigstore/mod.rs +++ b/src/trust/sigstore/mod.rs @@ -15,7 +15,7 @@ //! Helper Structs to interact with the Sigstore TUF repository. //! -//! The main interaction point is [`SigstoreRepository`], which fetches Rekor's +//! The main interaction point is [`SigstoreTrustRoot`], which fetches Rekor's //! public key and Fulcio's certificate. //! //! These can later be given to [`cosign::ClientBuilder`](crate::cosign::ClientBuilder) @@ -23,12 +23,12 @@ //! //! # Example //! -//! The `SigstoreRepository` instance can be created via the [`SigstoreRepository::prefetch`] +//! The `SigstoreRootTrust` instance can be created via the [`SigstoreTrustRoot::prefetch`] //! method. //! //! ```rust,no_run -//! use sigstore::trust::sigstore::SigstoreRepository; -//! let repo = SigstoreRepository::new(None).unwrap().prefetch().unwrap(); +//! use sigstore::trust::sigstore::SigstoreTrustRoot; +//! let repo = SigstoreTrustRoot::new(None).unwrap().prefetch().unwrap(); //! ``` use std::{ cell::OnceCell, @@ -53,13 +53,13 @@ pub use crate::trust::{ManualTrustRoot, TrustRoot}; /// Securely fetches Rekor public key and Fulcio certificates from Sigstore's TUF repository. #[derive(Debug)] -pub struct SigstoreRepository { +pub struct SigstoreTrustRoot { repository: tough::Repository, checkout_dir: Option, trusted_root: OnceCell, } -impl SigstoreRepository { +impl SigstoreTrustRoot { /// Constructs a new trust repository established by a [tough::Repository]. pub fn new(checkout_dir: Option<&Path>) -> Result { // These are statically defined and should always parse correctly. @@ -108,18 +108,18 @@ impl SigstoreRepository { /// Prefetches trust materials. /// - /// [TrustRoot::fulcio_certs()] and [TrustRoot::rekor_keys()] on [SigstoreRepository] lazily + /// [TrustRoot::fulcio_certs()] and [TrustRoot::rekor_keys()] on [SigstoreTrustRoot] lazily /// fetches the requested data, which is problematic for async callers. Those callers should /// use this method to fetch the trust root ahead of time. /// /// ```rust /// # use tokio::task::spawn_blocking; - /// # use sigstore::trust::sigstore::SigstoreRepository; + /// # use sigstore::trust::sigstore::SigstoreTrustRoot; /// # use sigstore::errors::Result; /// # #[tokio::main] /// # async fn main() -> std::result::Result<(), anyhow::Error> { - /// let repo: Result = spawn_blocking(|| Ok(SigstoreRepository::new(None)?.prefetch()?)).await?; - /// // Now, get Fulcio and Rekor trust roots with the returned `SigstoreRepository` + /// let repo: Result = spawn_blocking(|| Ok(SigstoreTrustRoot::new(None)?.prefetch()?)).await?; + /// // Now, get Fulcio and Rekor trust roots with the returned `SigstoreRootTrust` /// # Ok(()) /// # } /// ``` @@ -149,7 +149,7 @@ impl SigstoreRepository { } } -impl crate::trust::TrustRoot for SigstoreRepository { +impl crate::trust::TrustRoot for SigstoreTrustRoot { /// Fetch Fulcio certificates from the given TUF repository or reuse /// the local cache if its contents are not outdated. /// From 4208d54f2b79ce28d1980a7d37b30d931f767232 Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Fri, 1 Mar 2024 13:27:25 -0800 Subject: [PATCH 18/25] Renames: struct SigstoreRepository -> struct SigstoreTrustRoot. feature 'tuf' -> feature 'sigstore-trust-root' Signed-off-by: Tanner Gill --- Cargo.toml | 4 ++-- src/errors.rs | 2 +- src/trust/mod.rs | 2 +- src/trust/sigstore/mod.rs | 20 ++++++++++---------- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 369f531a75..6cc4023360 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -9,7 +9,7 @@ readme = "README.md" repository = "https://github.com/sigstore/sigstore-rs" [features] -default = ["full-native-tls", "cached-client", "tuf", "sign"] +default = ["full-native-tls", "cached-client", "sigstore-trust-root", "sign"] wasm = ["getrandom/js"] full-native-tls = [ @@ -40,7 +40,7 @@ rekor-native-tls = ["reqwest/native-tls", "rekor"] rekor-rustls-tls = ["reqwest/rustls-tls", "rekor"] rekor = ["reqwest"] -tuf = ["tough", "regex"] +sigstore-trust-root = ["tough", "regex"] sign = [] diff --git a/src/errors.rs b/src/errors.rs index 22b87e95cb..5ba05393cb 100644 --- a/src/errors.rs +++ b/src/errors.rs @@ -161,7 +161,7 @@ pub enum SigstoreError { #[error("No Signature Layer passed verification")] SigstoreNoVerifiedLayer, - #[cfg(feature = "tuf")] + #[cfg(feature = "sigstore-trust-root")] #[error(transparent)] TufError(#[from] Box), diff --git a/src/trust/mod.rs b/src/trust/mod.rs index 66d65d903d..09345e3cdf 100644 --- a/src/trust/mod.rs +++ b/src/trust/mod.rs @@ -15,7 +15,7 @@ use webpki::types::CertificateDer; -#[cfg(feature = "tuf")] +#[cfg(feature = "sigstore-trust-root")] pub mod sigstore; /// A `TrustRoot` owns all key material necessary for establishing a root of trust. diff --git a/src/trust/sigstore/mod.rs b/src/trust/sigstore/mod.rs index ba25967edb..63cbeed38d 100644 --- a/src/trust/sigstore/mod.rs +++ b/src/trust/sigstore/mod.rs @@ -15,7 +15,7 @@ //! Helper Structs to interact with the Sigstore TUF repository. //! -//! The main interaction point is [`SigstoreTrustRoot`], which fetches Rekor's +//! The main interaction point is [`SigstoreRootTrust`], which fetches Rekor's //! public key and Fulcio's certificate. //! //! These can later be given to [`cosign::ClientBuilder`](crate::cosign::ClientBuilder) @@ -23,12 +23,12 @@ //! //! # Example //! -//! The `SigstoreRootTrust` instance can be created via the [`SigstoreTrustRoot::prefetch`] +//! The `SigstoreRootTrust` instance can be created via the [`SigstoreRootTrust::prefetch`] //! method. //! //! ```rust,no_run -//! use sigstore::trust::sigstore::SigstoreTrustRoot; -//! let repo = SigstoreTrustRoot::new(None).unwrap().prefetch().unwrap(); +//! use sigstore::trust::sigstore::SigstoreRootTrust; +//! let repo = SigstoreRootTrust::new(None).unwrap().prefetch().unwrap(); //! ``` use std::{ cell::OnceCell, @@ -53,13 +53,13 @@ pub use crate::trust::{ManualTrustRoot, TrustRoot}; /// Securely fetches Rekor public key and Fulcio certificates from Sigstore's TUF repository. #[derive(Debug)] -pub struct SigstoreTrustRoot { +pub struct SigstoreRootTrust { repository: tough::Repository, checkout_dir: Option, trusted_root: OnceCell, } -impl SigstoreTrustRoot { +impl SigstoreRootTrust { /// Constructs a new trust repository established by a [tough::Repository]. pub fn new(checkout_dir: Option<&Path>) -> Result { // These are statically defined and should always parse correctly. @@ -108,17 +108,17 @@ impl SigstoreTrustRoot { /// Prefetches trust materials. /// - /// [TrustRoot::fulcio_certs()] and [TrustRoot::rekor_keys()] on [SigstoreTrustRoot] lazily + /// [TrustRoot::fulcio_certs()] and [TrustRoot::rekor_keys()] on [SigstoreRootTrust] lazily /// fetches the requested data, which is problematic for async callers. Those callers should /// use this method to fetch the trust root ahead of time. /// /// ```rust /// # use tokio::task::spawn_blocking; - /// # use sigstore::trust::sigstore::SigstoreTrustRoot; + /// # use sigstore::trust::sigstore::SigstoreRootTrust; /// # use sigstore::errors::Result; /// # #[tokio::main] /// # async fn main() -> std::result::Result<(), anyhow::Error> { - /// let repo: Result = spawn_blocking(|| Ok(SigstoreTrustRoot::new(None)?.prefetch()?)).await?; + /// let repo: Result = spawn_blocking(|| Ok(SigstoreRootTrust::new(None)?.prefetch()?)).await?; /// // Now, get Fulcio and Rekor trust roots with the returned `SigstoreRootTrust` /// # Ok(()) /// # } @@ -149,7 +149,7 @@ impl SigstoreTrustRoot { } } -impl crate::trust::TrustRoot for SigstoreTrustRoot { +impl crate::trust::TrustRoot for SigstoreRootTrust { /// Fetch Fulcio certificates from the given TUF repository or reuse /// the local cache if its contents are not outdated. /// From 4a5001718f6ee43766fe2ca8fcaff4428820a281 Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Fri, 1 Mar 2024 13:32:21 -0800 Subject: [PATCH 19/25] Fixed up comments that still referenced previous iterations of the refactor Signed-off-by: Tanner Gill --- src/lib.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index aca41eb315..03f26d6e1c 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -228,7 +228,7 @@ //! requires the following data to work: Fulcio's certificate and Rekor's public key. //! //! These files are safely distributed by the Sigstore project via a TUF repository. -//! The [`sigstore::sigstore`](crate::sigstore) module provides the helper structures to deal +//! The [`sigstore::trust::sigstore`](crate::trust::sigstore) module provides the helper structures to deal //! with it. //! //! # Feature Flags @@ -254,7 +254,7 @@ //! - `cached-client`: Enables support for OCI registry client caching. //! //! - `test-registry`: Enables tests based on a temporary OCI registry. -//! - `tuf`: Enables support for TUF to request for fulcio certs and rekor public key. +//! - `sigstore-trust-root`: Enables support for TUF to request for fulcio certs and rekor public key. #![forbid(unsafe_code)] #![warn(clippy::unwrap_used, clippy::panic)] From d5ba303182318495a081d1c4ad50d5c27be015cc Mon Sep 17 00:00:00 2001 From: Tanner Gill Date: Fri, 1 Mar 2024 13:33:59 -0800 Subject: [PATCH 20/25] Renamed SigstoreRootTrust to SigstoreTrustRoot Signed-off-by: Tanner Gill --- src/trust/sigstore/mod.rs | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/trust/sigstore/mod.rs b/src/trust/sigstore/mod.rs index 63cbeed38d..ba25967edb 100644 --- a/src/trust/sigstore/mod.rs +++ b/src/trust/sigstore/mod.rs @@ -15,7 +15,7 @@ //! Helper Structs to interact with the Sigstore TUF repository. //! -//! The main interaction point is [`SigstoreRootTrust`], which fetches Rekor's +//! The main interaction point is [`SigstoreTrustRoot`], which fetches Rekor's //! public key and Fulcio's certificate. //! //! These can later be given to [`cosign::ClientBuilder`](crate::cosign::ClientBuilder) @@ -23,12 +23,12 @@ //! //! # Example //! -//! The `SigstoreRootTrust` instance can be created via the [`SigstoreRootTrust::prefetch`] +//! The `SigstoreRootTrust` instance can be created via the [`SigstoreTrustRoot::prefetch`] //! method. //! //! ```rust,no_run -//! use sigstore::trust::sigstore::SigstoreRootTrust; -//! let repo = SigstoreRootTrust::new(None).unwrap().prefetch().unwrap(); +//! use sigstore::trust::sigstore::SigstoreTrustRoot; +//! let repo = SigstoreTrustRoot::new(None).unwrap().prefetch().unwrap(); //! ``` use std::{ cell::OnceCell, @@ -53,13 +53,13 @@ pub use crate::trust::{ManualTrustRoot, TrustRoot}; /// Securely fetches Rekor public key and Fulcio certificates from Sigstore's TUF repository. #[derive(Debug)] -pub struct SigstoreRootTrust { +pub struct SigstoreTrustRoot { repository: tough::Repository, checkout_dir: Option, trusted_root: OnceCell, } -impl SigstoreRootTrust { +impl SigstoreTrustRoot { /// Constructs a new trust repository established by a [tough::Repository]. pub fn new(checkout_dir: Option<&Path>) -> Result { // These are statically defined and should always parse correctly. @@ -108,17 +108,17 @@ impl SigstoreRootTrust { /// Prefetches trust materials. /// - /// [TrustRoot::fulcio_certs()] and [TrustRoot::rekor_keys()] on [SigstoreRootTrust] lazily + /// [TrustRoot::fulcio_certs()] and [TrustRoot::rekor_keys()] on [SigstoreTrustRoot] lazily /// fetches the requested data, which is problematic for async callers. Those callers should /// use this method to fetch the trust root ahead of time. /// /// ```rust /// # use tokio::task::spawn_blocking; - /// # use sigstore::trust::sigstore::SigstoreRootTrust; + /// # use sigstore::trust::sigstore::SigstoreTrustRoot; /// # use sigstore::errors::Result; /// # #[tokio::main] /// # async fn main() -> std::result::Result<(), anyhow::Error> { - /// let repo: Result = spawn_blocking(|| Ok(SigstoreRootTrust::new(None)?.prefetch()?)).await?; + /// let repo: Result = spawn_blocking(|| Ok(SigstoreTrustRoot::new(None)?.prefetch()?)).await?; /// // Now, get Fulcio and Rekor trust roots with the returned `SigstoreRootTrust` /// # Ok(()) /// # } @@ -149,7 +149,7 @@ impl SigstoreRootTrust { } } -impl crate::trust::TrustRoot for SigstoreRootTrust { +impl crate::trust::TrustRoot for SigstoreTrustRoot { /// Fetch Fulcio certificates from the given TUF repository or reuse /// the local cache if its contents are not outdated. /// From 8b1a4ec983b6b2a4c52041fd8c1842a7fd3e09ee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Mar 2024 19:47:04 +0000 Subject: [PATCH 21/25] chore(deps): Bump actions/checkout from 4.1.1 to 4.1.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.1.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/b4ffde65f46336ab88eb53be808477a3936bae11...9bb56186c3b09b4f86b1c65136769dd318469633) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/auto-publish-crates-upon-release.yml | 2 +- .github/workflows/conformance.yml | 2 +- .github/workflows/security-audit-cron.yml | 2 +- .github/workflows/security-audit-reactive.yml | 2 +- .github/workflows/tests.yml | 10 +++++----- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/auto-publish-crates-upon-release.yml b/.github/workflows/auto-publish-crates-upon-release.yml index 9ff358f88d..b8746ea75a 100644 --- a/.github/workflows/auto-publish-crates-upon-release.yml +++ b/.github/workflows/auto-publish-crates-upon-release.yml @@ -7,7 +7,7 @@ jobs: publish-automatically: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: stable diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index a9fb3bcf06..09749783d1 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -6,7 +6,7 @@ jobs: conformance: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: profile: minimal diff --git a/.github/workflows/security-audit-cron.yml b/.github/workflows/security-audit-cron.yml index 8677bfcee4..354dd71967 100644 --- a/.github/workflows/security-audit-cron.yml +++ b/.github/workflows/security-audit-cron.yml @@ -6,7 +6,7 @@ jobs: audit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - uses: actions-rs/audit-check@35b7b53b1e25b55642157ac01b4adceb5b9ebef3 # v1.2.0 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/security-audit-reactive.yml b/.github/workflows/security-audit-reactive.yml index ebc720c0e4..216975e78b 100644 --- a/.github/workflows/security-audit-reactive.yml +++ b/.github/workflows/security-audit-reactive.yml @@ -8,7 +8,7 @@ jobs: security_audit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - uses: actions-rs/audit-check@35b7b53b1e25b55642157ac01b4adceb5b9ebef3 # v1.2.0 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 808d929e85..74e9e5c277 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -7,7 +7,7 @@ jobs: name: Check runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: profile: minimal @@ -21,7 +21,7 @@ jobs: name: Check WASM runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: profile: minimal @@ -37,7 +37,7 @@ jobs: name: Test Suite runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: profile: minimal @@ -52,7 +52,7 @@ jobs: name: Rustfmt runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: profile: minimal @@ -68,7 +68,7 @@ jobs: name: Clippy runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: profile: minimal From dd803ca2ed15624ea2adf8112d2470626632768a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Mar 2024 19:05:23 +0000 Subject: [PATCH 22/25] chore(deps): Update reqwest requirement from 0.11 to 0.12 Updates the requirements on [reqwest](https://github.com/seanmonstar/reqwest) to permit the latest version. - [Release notes](https://github.com/seanmonstar/reqwest/releases) - [Changelog](https://github.com/seanmonstar/reqwest/blob/master/CHANGELOG.md) - [Commits](https://github.com/seanmonstar/reqwest/compare/v0.11.0...v0.12.2) --- updated-dependencies: - dependency-name: reqwest dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 6cc4023360..71f58e5e75 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -101,7 +101,7 @@ pkcs8 = { version = "0.10.2", features = [ rand = { version = "0.8.5", features = ["getrandom", "std"] } getrandom = "0.2.8" regex = { version = "1.5.5", optional = true } -reqwest = { version = "0.11", default-features = false, features = [ +reqwest = { version = "0.12", default-features = false, features = [ "json", "multipart", ], optional = true } From e817116fa365975c3b63632303120f50e294acd3 Mon Sep 17 00:00:00 2001 From: Andrew Stoycos Date: Thu, 21 Mar 2024 14:56:34 -0400 Subject: [PATCH 23/25] update tough dep, clippy fixes This commit updates the tough dependency, which changes how many of our trait definitions work. Additionally move from the use of std::sync::oncecell to tokio::sync::oncecell for sigstoretrustroot.trusted_root so that SigstoreTrustRoot can be Send. Update examples and tests. Remove some unused types Fixup clippy warnings Signed-off-by: Andrew Stoycos --- Cargo.toml | 6 +- examples/cosign/sign/main.rs | 1 - examples/cosign/verify/main.rs | 17 +-- src/cosign/client_builder.rs | 9 +- src/cosign/mod.rs | 4 +- src/cosign/signature_layers.rs | 3 - .../cert_subject_email_verifier.rs | 1 - .../cert_subject_url_verifier.rs | 1 - .../certificate_verifier.rs | 1 - src/crypto/certificate.rs | 2 +- src/crypto/mod.rs | 28 ++--- src/crypto/signing_key/ecdsa/ec.rs | 2 +- src/crypto/signing_key/ecdsa/mod.rs | 15 +-- src/crypto/signing_key/ed25519.rs | 1 - src/crypto/signing_key/mod.rs | 10 +- src/crypto/signing_key/rsa/keypair.rs | 2 - src/crypto/verification_key.rs | 1 - src/fulcio/mod.rs | 3 +- src/fulcio/models.rs | 36 +----- src/lib.rs | 1 + src/oauth/token.rs | 6 +- src/registry/config.rs | 1 - src/rekor/apis/configuration.rs | 2 - src/rekor/apis/entries_api.rs | 2 - src/rekor/apis/index_api.rs | 2 - src/rekor/apis/pubkey_api.rs | 2 - src/rekor/apis/tlog_api.rs | 2 - src/sign.rs | 1 - src/trust/mod.rs | 16 ++- src/trust/sigstore/mod.rs | 118 ++++++++++-------- 30 files changed, 127 insertions(+), 169 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 6cc4023360..46ae0c5dd7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -40,7 +40,7 @@ rekor-native-tls = ["reqwest/native-tls", "rekor"] rekor-rustls-tls = ["reqwest/rustls-tls", "rekor"] rekor = ["reqwest"] -sigstore-trust-root = ["tough", "regex"] +sigstore-trust-root = ["futures-util", "tough", "regex", "tokio/sync"] sign = [] @@ -81,6 +81,8 @@ ecdsa = { version = "0.16.7", features = ["pkcs8", "digest", "der", "signing"] } ed25519 = { version = "2.2.1", features = ["alloc"] } ed25519-dalek = { version = "2.0.0-rc.2", features = ["pkcs8", "rand_core"] } elliptic-curve = { version = "0.13.5", features = ["arithmetic", "pem"] } +futures = "0.3" +futures-util = { version = "0.3.30", optional = true } lazy_static = "1.4.0" oci-distribution = { version = "0.10", default-features = false, optional = true } olpc-cjson = "0.1" @@ -116,7 +118,7 @@ sigstore_protobuf_specs = "0.1.0-rc.2" thiserror = "1.0.30" tokio = { version = "1.17.0", features = ["rt"] } tokio-util = { version = "0.7.10", features = ["io-util"] } -tough = { version = "0.14", features = ["http"], optional = true } +tough = { version = "0.17.1", features = ["http"], optional = true } tracing = "0.1.31" url = "2.2.2" x509-cert = { version = "0.2.2", features = ["builder", "pem", "std"] } diff --git a/examples/cosign/sign/main.rs b/examples/cosign/sign/main.rs index 28302c0e39..b5ce9ebf98 100644 --- a/examples/cosign/sign/main.rs +++ b/examples/cosign/sign/main.rs @@ -18,7 +18,6 @@ use sigstore::cosign::constraint::{AnnotationMarker, PrivateKeySigner}; use sigstore::cosign::{Constraint, CosignCapabilities, SignatureLayer}; use sigstore::crypto::SigningScheme; use sigstore::registry::{Auth, ClientConfig, ClientProtocol, OciReference}; -use std::convert::TryFrom; use tracing::{debug, warn}; use zeroize::Zeroizing; diff --git a/examples/cosign/verify/main.rs b/examples/cosign/verify/main.rs index 081decd5f2..24980d1b04 100644 --- a/examples/cosign/verify/main.rs +++ b/examples/cosign/verify/main.rs @@ -23,8 +23,6 @@ use sigstore::crypto::SigningScheme; use sigstore::errors::SigstoreVerifyConstraintsError; use sigstore::registry::{ClientConfig, ClientProtocol, OciReference}; use sigstore::trust::sigstore::SigstoreTrustRoot; -use std::boxed::Box; -use std::convert::TryFrom; use std::time::Instant; extern crate anyhow; @@ -34,7 +32,6 @@ extern crate clap; use clap::Parser; use std::{collections::HashMap, fs}; -use tokio::task::spawn_blocking; extern crate tracing_subscriber; use tracing::{info, warn}; @@ -133,7 +130,7 @@ async fn run_app( let mut client_builder = sigstore::cosign::ClientBuilder::default().with_oci_client_config(oci_client_config); - client_builder = client_builder.with_trust_repository(frd)?; + client_builder = client_builder.with_trust_repository(frd).await?; let cert_chain: Option> = match cli.cert_chain.as_ref() { None => None, @@ -187,7 +184,7 @@ async fn run_app( } if let Some(path_to_cert) = cli.cert.as_ref() { let cert = fs::read(path_to_cert).map_err(|e| anyhow!("Cannot read cert: {:?}", e))?; - let require_rekor_bundle = if !frd.rekor_keys()?.is_empty() { + let require_rekor_bundle = if !frd.rekor_keys().await?.is_empty() { true } else { warn!("certificate based verification is weaker when Rekor integration is disabled"); @@ -230,12 +227,10 @@ async fn run_app( async fn fulcio_and_rekor_data(cli: &Cli) -> anyhow::Result> { if cli.use_sigstore_tuf_data { - let repo: sigstore::errors::Result = spawn_blocking(|| { - info!("Downloading data from Sigstore TUF repository"); - SigstoreTrustRoot::new(None)?.prefetch() - }) - .await - .map_err(|e| anyhow!("Error spawning blocking task inside of tokio: {}", e))?; + info!("Downloading data from Sigstore TUF repository"); + + let repo: sigstore::errors::Result = + SigstoreTrustRoot::new(None).await?.prefetch().await; return Ok(Box::new(repo?)); }; diff --git a/src/cosign/client_builder.rs b/src/cosign/client_builder.rs index 2e7d494082..d37bca7cf9 100644 --- a/src/cosign/client_builder.rs +++ b/src/cosign/client_builder.rs @@ -72,12 +72,15 @@ impl<'a> ClientBuilder<'a> { /// /// Enables Fulcio and Rekor integration with the given trust repository. /// See [crate::sigstore::TrustRoot] for more details on trust repositories. - pub fn with_trust_repository(mut self, repo: &'a R) -> Result { - let rekor_keys = repo.rekor_keys()?; + pub async fn with_trust_repository( + mut self, + repo: &'a R, + ) -> Result { + let rekor_keys = repo.rekor_keys().await?; if !rekor_keys.is_empty() { self.rekor_pub_key = Some(rekor_keys[0]); } - self.fulcio_certs = repo.fulcio_certs()?; + self.fulcio_certs = repo.fulcio_certs().await?; Ok(self) } diff --git a/src/cosign/mod.rs b/src/cosign/mod.rs index 4f560b3530..2debf012f4 100644 --- a/src/cosign/mod.rs +++ b/src/cosign/mod.rs @@ -48,7 +48,6 @@ use crate::crypto::{CosignVerificationKey, Signature}; use crate::errors::SigstoreError; use base64::{engine::general_purpose::STANDARD as BASE64_STD_ENGINE, Engine as _}; use pkcs8::der::Decode; -use std::convert::TryFrom; use x509_cert::Certificate; pub mod bundle; @@ -284,7 +283,6 @@ where #[cfg(test)] mod tests { use serde_json::json; - use std::collections::HashMap; use webpki::types::CertificateDer; use super::constraint::{AnnotationMarker, PrivateKeySigner}; @@ -296,7 +294,7 @@ mod tests { AnnotationVerifier, CertSubjectEmailVerifier, VerificationConstraintVec, }; use crate::crypto::certificate_pool::CertificatePool; - use crate::crypto::{CosignVerificationKey, SigningScheme}; + use crate::crypto::SigningScheme; #[cfg(feature = "test-registry")] use testcontainers::{clients, core::WaitFor}; diff --git a/src/cosign/signature_layers.rs b/src/cosign/signature_layers.rs index 8e6cce177f..879e548fd2 100644 --- a/src/cosign/signature_layers.rs +++ b/src/cosign/signature_layers.rs @@ -17,7 +17,6 @@ use const_oid::ObjectIdentifier; use digest::Digest; use oci_distribution::client::ImageLayer; use serde::Serialize; -use std::convert::TryFrom; use std::{collections::HashMap, fmt}; use tracing::{debug, info, warn}; use x509_cert::der::DecodePem; @@ -550,8 +549,6 @@ pub(crate) mod tests { use super::*; use openssl::x509::X509; use serde_json::json; - use std::collections::HashMap; - use std::convert::TryFrom; use crate::cosign::tests::{get_fulcio_cert_pool, get_rekor_public_key}; diff --git a/src/cosign/verification_constraint/cert_subject_email_verifier.rs b/src/cosign/verification_constraint/cert_subject_email_verifier.rs index 1b7a8b2f08..e1fe799e8a 100644 --- a/src/cosign/verification_constraint/cert_subject_email_verifier.rs +++ b/src/cosign/verification_constraint/cert_subject_email_verifier.rs @@ -126,7 +126,6 @@ mod tests { build_correct_signature_layer_with_certificate, build_correct_signature_layer_without_bundle, }; - use crate::cosign::signature_layers::CertificateSubject; use crate::cosign::verification_constraint::CertSubjectUrlVerifier; #[test] diff --git a/src/cosign/verification_constraint/cert_subject_url_verifier.rs b/src/cosign/verification_constraint/cert_subject_url_verifier.rs index 739aa9e66d..d171980351 100644 --- a/src/cosign/verification_constraint/cert_subject_url_verifier.rs +++ b/src/cosign/verification_constraint/cert_subject_url_verifier.rs @@ -74,7 +74,6 @@ mod tests { build_correct_signature_layer_with_certificate, build_correct_signature_layer_without_bundle, }; - use crate::cosign::signature_layers::CertificateSubject; use crate::cosign::verification_constraint::CertSubjectEmailVerifier; #[test] diff --git a/src/cosign/verification_constraint/certificate_verifier.rs b/src/cosign/verification_constraint/certificate_verifier.rs index 7370836594..d918803bd6 100644 --- a/src/cosign/verification_constraint/certificate_verifier.rs +++ b/src/cosign/verification_constraint/certificate_verifier.rs @@ -1,6 +1,5 @@ use chrono::{DateTime, Utc}; use pkcs8::der::Decode; -use std::convert::TryFrom; use tracing::warn; use webpki::types::CertificateDer; use x509_cert::Certificate; diff --git a/src/crypto/certificate.rs b/src/crypto/certificate.rs index c7c14e99f3..0b5685764e 100644 --- a/src/crypto/certificate.rs +++ b/src/crypto/certificate.rs @@ -126,7 +126,7 @@ mod tests { use super::*; use crate::crypto::tests::*; - use chrono::{TimeDelta, Utc}; + use chrono::TimeDelta; use x509_cert::der::Decode; #[test] diff --git a/src/crypto/mod.rs b/src/crypto/mod.rs index 3db1461c7f..fd1667f9b7 100644 --- a/src/crypto/mod.rs +++ b/src/crypto/mod.rs @@ -16,7 +16,6 @@ //! Structures and constants required to perform cryptographic operations. use sha2::{Sha256, Sha384}; -use std::convert::TryFrom; use crate::errors::*; @@ -60,20 +59,19 @@ pub enum SigningScheme { ED25519, } -impl ToString for SigningScheme { - fn to_string(&self) -> String { - let str = match self { - SigningScheme::RSA_PSS_SHA256(_) => "RSA_PSS_SHA256", - SigningScheme::RSA_PSS_SHA384(_) => "RSA_PSS_SHA384", - SigningScheme::RSA_PSS_SHA512(_) => "RSA_PSS_SHA512", - SigningScheme::RSA_PKCS1_SHA256(_) => "RSA_PKCS1_SHA256", - SigningScheme::RSA_PKCS1_SHA384(_) => "RSA_PKCS1_SHA384", - SigningScheme::RSA_PKCS1_SHA512(_) => "RSA_PKCS1_SHA512", - SigningScheme::ECDSA_P256_SHA256_ASN1 => "ECDSA_P256_SHA256_ASN1", - SigningScheme::ECDSA_P384_SHA384_ASN1 => "ECDSA_P384_SHA384_ASN1", - SigningScheme::ED25519 => "ED25519", - }; - String::from(str) +impl std::fmt::Display for SigningScheme { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + match self { + SigningScheme::RSA_PSS_SHA256(_) => write!(f, "RSA_PSS_SHA256"), + SigningScheme::RSA_PSS_SHA384(_) => write!(f, "RSA_PSS_SHA384"), + SigningScheme::RSA_PSS_SHA512(_) => write!(f, "RSA_PSS_SHA512"), + SigningScheme::RSA_PKCS1_SHA256(_) => write!(f, "RSA_PKCS1_SHA256"), + SigningScheme::RSA_PKCS1_SHA384(_) => write!(f, "RSA_PKCS1_SHA384"), + SigningScheme::RSA_PKCS1_SHA512(_) => write!(f, "RSA_PKCS1_SHA512"), + SigningScheme::ECDSA_P256_SHA256_ASN1 => write!(f, "ECDSA_P256_SHA256_ASN1"), + SigningScheme::ECDSA_P384_SHA384_ASN1 => write!(f, "ECDSA_P384_SHA384_ASN1"), + SigningScheme::ED25519 => write!(f, "ED25519"), + } } } diff --git a/src/crypto/signing_key/ecdsa/ec.rs b/src/crypto/signing_key/ecdsa/ec.rs index 7c2dd70cb0..a9cd15b5d3 100644 --- a/src/crypto/signing_key/ecdsa/ec.rs +++ b/src/crypto/signing_key/ecdsa/ec.rs @@ -63,7 +63,7 @@ //! let signature = ec_signer.sign(b"some message"); //! ``` -use std::{convert::TryFrom, marker::PhantomData, ops::Add}; +use std::{marker::PhantomData, ops::Add}; use digest::{ core_api::BlockSizeUser, diff --git a/src/crypto/signing_key/ecdsa/mod.rs b/src/crypto/signing_key/ecdsa/mod.rs index 4374a83e7a..b7680b007b 100644 --- a/src/crypto/signing_key/ecdsa/mod.rs +++ b/src/crypto/signing_key/ecdsa/mod.rs @@ -73,8 +73,6 @@ //! // verify //! assert!(verification_key.verify_signature(Signature::Raw(&signature_data),message).is_ok()); /// ``` -use p256; - use crate::errors::*; use self::ec::{EcdsaKeys, EcdsaSigner}; @@ -88,13 +86,12 @@ pub enum ECDSAKeys { P384(EcdsaKeys), } -impl ToString for ECDSAKeys { - fn to_string(&self) -> String { - let str = match self { - ECDSAKeys::P256(_) => "ECDSA P256", - ECDSAKeys::P384(_) => "ECDSA P384", - }; - String::from(str) +impl std::fmt::Display for ECDSAKeys { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + match self { + ECDSAKeys::P256(_) => write!(f, "ECDSA P256"), + ECDSAKeys::P384(_) => write!(f, "ECDSA P384"), + } } } diff --git a/src/crypto/signing_key/ed25519.rs b/src/crypto/signing_key/ed25519.rs index 0934acd5eb..f1292c12a7 100644 --- a/src/crypto/signing_key/ed25519.rs +++ b/src/crypto/signing_key/ed25519.rs @@ -61,7 +61,6 @@ //! ``` use ed25519::pkcs8::{DecodePrivateKey, EncodePrivateKey, EncodePublicKey}; -use std::convert::TryFrom; use ed25519::KeypairBytes; use ed25519_dalek::{Signer as _, SigningKey}; diff --git a/src/crypto/signing_key/mod.rs b/src/crypto/signing_key/mod.rs index efc34b60ac..f209ba2a60 100644 --- a/src/crypto/signing_key/mod.rs +++ b/src/crypto/signing_key/mod.rs @@ -139,12 +139,12 @@ pub enum SigStoreKeyPair { RSA(RSAKeys), } -impl ToString for SigStoreKeyPair { - fn to_string(&self) -> String { +impl std::fmt::Display for SigStoreKeyPair { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { match self { - SigStoreKeyPair::ECDSA(_) => String::from("EC Key"), - SigStoreKeyPair::ED25519(_) => String::from("Ed25519 Key"), - SigStoreKeyPair::RSA(_) => String::from("RSA Key"), + SigStoreKeyPair::ECDSA(_) => write!(f, "EC Key"), + SigStoreKeyPair::ED25519(_) => write!(f, "Ed25519 Key"), + SigStoreKeyPair::RSA(_) => write!(f, "RSA Key"), } } } diff --git a/src/crypto/signing_key/rsa/keypair.rs b/src/crypto/signing_key/rsa/keypair.rs index c7d12148e5..f54294f598 100644 --- a/src/crypto/signing_key/rsa/keypair.rs +++ b/src/crypto/signing_key/rsa/keypair.rs @@ -39,8 +39,6 @@ //! let rsa_keys2 = RSAKeys::from_encrypted_pem(privkey_pem.as_bytes(), b"password").unwrap(); //! ``` -use std::convert::TryFrom; - use pkcs8::{DecodePrivateKey, EncodePrivateKey, EncodePublicKey}; use rsa::{ pkcs1::DecodeRsaPrivateKey, pkcs1v15::SigningKey, pss::BlindedSigningKey, RsaPrivateKey, diff --git a/src/crypto/verification_key.rs b/src/crypto/verification_key.rs index 1cf40d7eed..b1c54a3c0c 100644 --- a/src/crypto/verification_key.rs +++ b/src/crypto/verification_key.rs @@ -19,7 +19,6 @@ use ed25519::pkcs8::DecodePublicKey as ED25519DecodePublicKey; use rsa::{pkcs1v15, pss}; use sha2::{Digest, Sha256, Sha384}; use signature::{DigestVerifier, Verifier}; -use std::convert::TryFrom; use x509_cert::{der::referenced::OwnedToRef, spki::SubjectPublicKeyInfoOwned}; use super::{ diff --git a/src/fulcio/mod.rs b/src/fulcio/mod.rs index 81477cab6e..8c034e2333 100644 --- a/src/fulcio/mod.rs +++ b/src/fulcio/mod.rs @@ -14,7 +14,6 @@ use pkcs8::der::Decode; use reqwest::{header, Body}; use serde::ser::SerializeStruct; use serde::{Serialize, Serializer}; -use std::convert::{TryFrom, TryInto}; use std::fmt::{Debug, Display, Formatter}; use tracing::debug; use url::Url; @@ -55,7 +54,7 @@ impl TryFrom for Body { struct PublicKey(String, SigningScheme); impl Serialize for PublicKey { - fn serialize(&self, serializer: S) -> std::result::Result + fn serialize(&self, serializer: S) -> std::result::Result where S: Serializer, { diff --git a/src/fulcio/models.rs b/src/fulcio/models.rs index b4e7dc367d..e39e335895 100644 --- a/src/fulcio/models.rs +++ b/src/fulcio/models.rs @@ -19,7 +19,7 @@ use base64::{engine::general_purpose::STANDARD as BASE64_STD_ENGINE, Engine as _}; use pem::Pem; use pkcs8::der::EncodePem; -use serde::{Deserialize, Deserializer, Serialize, Serializer}; +use serde::{Deserialize, Serialize, Serializer}; use serde_repr::Deserialize_repr; use x509_cert::Certificate; @@ -38,26 +38,6 @@ where ser.serialize_str(&encoded) } -fn deserialize_base64<'de, D>(de: D) -> std::result::Result, D::Error> -where - D: Deserializer<'de>, -{ - let buf: &str = Deserialize::deserialize(de)?; - - BASE64_STD_ENGINE - .decode(buf) - .map_err(serde::de::Error::custom) -} - -fn deserialize_inner_detached_sct<'de, D>(de: D) -> std::result::Result -where - D: Deserializer<'de>, -{ - let buf = deserialize_base64(de)?; - - serde_json::from_slice(&buf).map_err(serde::de::Error::custom) -} - #[derive(Serialize)] #[serde(rename_all = "camelCase")] pub struct CreateSigningCertificateRequest { @@ -76,8 +56,6 @@ pub enum SigningCertificate { #[serde(rename_all = "camelCase")] pub struct SigningCertificateDetachedSCT { pub chain: CertificateChain, - #[serde(deserialize_with = "deserialize_inner_detached_sct")] - pub signed_certificate_timestamp: InnerDetachedSCT, } #[derive(Deserialize)] @@ -91,18 +69,6 @@ pub struct CertificateChain { pub certificates: Vec, } -#[derive(Deserialize)] -pub struct InnerDetachedSCT { - pub sct_version: SCTVersion, - #[serde(deserialize_with = "deserialize_base64")] - pub id: Vec, - pub timestamp: u64, - #[serde(deserialize_with = "deserialize_base64")] - pub signature: Vec, - #[serde(deserialize_with = "deserialize_base64")] - pub extensions: Vec, -} - #[derive(Deserialize_repr, PartialEq, Debug)] #[repr(u8)] pub enum SCTVersion { diff --git a/src/lib.rs b/src/lib.rs index 03f26d6e1c..e715b80078 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -100,6 +100,7 @@ //! //! let mut client = sigstore::cosign::ClientBuilder::default() //! .with_trust_repository(&repo) +//! .await //! .expect("Cannot construct cosign client from given materials") //! .build() //! .expect("Unexpected failure while building Client"); diff --git a/src/oauth/token.rs b/src/oauth/token.rs index b5b304f9ed..e916a30003 100644 --- a/src/oauth/token.rs +++ b/src/oauth/token.rs @@ -99,8 +99,8 @@ impl From for IdentityToken { } } -impl ToString for IdentityToken { - fn to_string(&self) -> String { - self.original_token.clone() +impl std::fmt::Display for IdentityToken { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + write!(f, "{}", self.original_token.clone()) } } diff --git a/src/registry/config.rs b/src/registry/config.rs index 95630ef29f..b7dd3d2da1 100644 --- a/src/registry/config.rs +++ b/src/registry/config.rs @@ -17,7 +17,6 @@ use serde::Serialize; use std::cmp::Ordering; -use std::convert::From; use webpki::types::CertificateDer; use crate::errors; diff --git a/src/rekor/apis/configuration.rs b/src/rekor/apis/configuration.rs index 3016db1991..a878be3840 100644 --- a/src/rekor/apis/configuration.rs +++ b/src/rekor/apis/configuration.rs @@ -8,8 +8,6 @@ * Generated by: https://openapi-generator.tech */ -use reqwest; - const VERSION: Option<&str> = option_env!("CARGO_PKG_VERSION"); #[derive(Debug, Clone)] diff --git a/src/rekor/apis/entries_api.rs b/src/rekor/apis/entries_api.rs index 6f29a8ae38..1f7bac8062 100644 --- a/src/rekor/apis/entries_api.rs +++ b/src/rekor/apis/entries_api.rs @@ -8,8 +8,6 @@ * Generated by: https://openapi-generator.tech */ -use reqwest; - use super::{configuration, Error}; use crate::rekor::apis::ResponseContent; use crate::rekor::models::log_entry::LogEntry; diff --git a/src/rekor/apis/index_api.rs b/src/rekor/apis/index_api.rs index 563876a060..ab0680f951 100644 --- a/src/rekor/apis/index_api.rs +++ b/src/rekor/apis/index_api.rs @@ -8,8 +8,6 @@ * Generated by: https://openapi-generator.tech */ -use reqwest; - use super::{configuration, Error}; use crate::rekor::apis::ResponseContent; use serde::{Deserialize, Serialize}; diff --git a/src/rekor/apis/pubkey_api.rs b/src/rekor/apis/pubkey_api.rs index c2680cea99..33091276ab 100644 --- a/src/rekor/apis/pubkey_api.rs +++ b/src/rekor/apis/pubkey_api.rs @@ -8,8 +8,6 @@ * Generated by: https://openapi-generator.tech */ -use reqwest; - use super::{configuration, Error}; use crate::rekor::apis::ResponseContent; use serde::{Deserialize, Serialize}; diff --git a/src/rekor/apis/tlog_api.rs b/src/rekor/apis/tlog_api.rs index ed935c7dca..bbb0a1d3ec 100644 --- a/src/rekor/apis/tlog_api.rs +++ b/src/rekor/apis/tlog_api.rs @@ -8,8 +8,6 @@ * Generated by: https://openapi-generator.tech */ -use reqwest; - use super::{configuration, Error}; use crate::rekor::apis::ResponseContent; use serde::{Deserialize, Serialize}; diff --git a/src/sign.rs b/src/sign.rs index 1d4b36838e..e8e17ec407 100644 --- a/src/sign.rs +++ b/src/sign.rs @@ -18,7 +18,6 @@ use std::io::{self, Read}; use std::time::SystemTime; use base64::{engine::general_purpose::STANDARD as base64, Engine as _}; -use hex; use json_syntax::Print; use p256::NistP256; use pkcs8::der::{Encode, EncodePem}; diff --git a/src/trust/mod.rs b/src/trust/mod.rs index 09345e3cdf..b4c7f7507f 100644 --- a/src/trust/mod.rs +++ b/src/trust/mod.rs @@ -13,15 +13,18 @@ // See the License for the specific language governing permissions and // limitations under the License. +use async_trait::async_trait; use webpki::types::CertificateDer; #[cfg(feature = "sigstore-trust-root")] pub mod sigstore; /// A `TrustRoot` owns all key material necessary for establishing a root of trust. -pub trait TrustRoot { - fn fulcio_certs(&self) -> crate::errors::Result>; - fn rekor_keys(&self) -> crate::errors::Result>; +#[cfg_attr(not(target_arch = "wasm32"), async_trait)] +#[cfg_attr(target_arch = "wasm32", async_trait(?Send))] +pub trait TrustRoot: Send + Sync { + async fn fulcio_certs(&self) -> crate::errors::Result>; + async fn rekor_keys(&self) -> crate::errors::Result>; } /// A `ManualTrustRoot` is a [TrustRoot] with out-of-band trust materials. @@ -32,15 +35,18 @@ pub struct ManualTrustRoot<'a> { pub rekor_key: Option>, } +#[cfg(not(target_arch = "wasm32"))] +#[async_trait] impl TrustRoot for ManualTrustRoot<'_> { - fn fulcio_certs(&self) -> crate::errors::Result> { + #[cfg(not(target_arch = "wasm32"))] + async fn fulcio_certs(&self) -> crate::errors::Result> { Ok(match &self.fulcio_certs { Some(certs) => certs.clone(), None => Vec::new(), }) } - fn rekor_keys(&self) -> crate::errors::Result> { + async fn rekor_keys(&self) -> crate::errors::Result> { Ok(match &self.rekor_key { Some(key) => vec![&key[..]], None => Vec::new(), diff --git a/src/trust/sigstore/mod.rs b/src/trust/sigstore/mod.rs index ba25967edb..b843b9b783 100644 --- a/src/trust/sigstore/mod.rs +++ b/src/trust/sigstore/mod.rs @@ -26,29 +26,33 @@ //! The `SigstoreRootTrust` instance can be created via the [`SigstoreTrustRoot::prefetch`] //! method. //! -//! ```rust,no_run -//! use sigstore::trust::sigstore::SigstoreTrustRoot; -//! let repo = SigstoreTrustRoot::new(None).unwrap().prefetch().unwrap(); -//! ``` +/// ```rust +/// # use sigstore::trust::sigstore::SigstoreTrustRoot; +/// # use sigstore::errors::Result; +/// # #[tokio::main] +/// # async fn main() -> std::result::Result<(), anyhow::Error> { +/// let repo: Result = SigstoreTrustRoot::new(None).await?.prefetch().await; +/// // Now, get Fulcio and Rekor trust roots with the returned `SigstoreRootTrust` +/// # Ok(()) +/// # } +/// ``` +use async_trait::async_trait; +use futures::StreamExt; +use sha2::{Digest, Sha256}; use std::{ - cell::OnceCell, fs, - io::Read, path::{Path, PathBuf}, }; - -mod constants; -mod trustroot; - -use sha2::{Digest, Sha256}; +use tokio::sync::OnceCell; use tough::TargetName; use tracing::debug; use webpki::types::CertificateDer; -use self::trustroot::{CertificateAuthority, TimeRange, TransparencyLogInstance, TrustedRoot}; +mod constants; +mod trustroot; +use self::trustroot::{CertificateAuthority, TimeRange, TransparencyLogInstance, TrustedRoot}; use crate::errors::{Result, SigstoreError}; - pub use crate::trust::{ManualTrustRoot, TrustRoot}; /// Securely fetches Rekor public key and Fulcio certificates from Sigstore's TUF repository. @@ -61,15 +65,16 @@ pub struct SigstoreTrustRoot { impl SigstoreTrustRoot { /// Constructs a new trust repository established by a [tough::Repository]. - pub fn new(checkout_dir: Option<&Path>) -> Result { + pub async fn new(checkout_dir: Option<&Path>) -> Result { // These are statically defined and should always parse correctly. let metadata_base = url::Url::parse(constants::SIGSTORE_METADATA_BASE)?; let target_base = url::Url::parse(constants::SIGSTORE_TARGET_BASE)?; let repository = - tough::RepositoryLoader::new(constants::SIGSTORE_ROOT, metadata_base, target_base) + tough::RepositoryLoader::new(&constants::SIGSTORE_ROOT, metadata_base, target_base) .expiration_enforcement(tough::ExpirationEnforcement::Safe) .load() + .await .map_err(Box::new)?; Ok(Self { @@ -79,8 +84,8 @@ impl SigstoreTrustRoot { }) } - fn trusted_root(&self) -> Result<&TrustedRoot> { - fn init_trusted_root( + async fn trusted_root(&self) -> Result<&TrustedRoot> { + async fn init_trusted_root( repository: &tough::Repository, checkout_dir: Option<&PathBuf>, ) -> Result { @@ -91,19 +96,19 @@ impl SigstoreTrustRoot { repository, &trusted_root_target, local_path.as_ref(), - )?; + ) + .await?; debug!("data:\n{}", String::from_utf8_lossy(&data)); - Ok(serde_json::from_slice(&data[..])?) - } - - if let Some(root) = self.trusted_root.get() { - return Ok(root); + serde_json::from_slice(&data[..]).map_err(SigstoreError::from) } - let root = init_trusted_root(&self.repository, self.checkout_dir.as_ref())?; - Ok(self.trusted_root.get_or_init(|| root)) + self.trusted_root + .get_or_try_init(|| async { + init_trusted_root(&self.repository, self.checkout_dir.as_ref()).await + }) + .await } /// Prefetches trust materials. @@ -113,18 +118,17 @@ impl SigstoreTrustRoot { /// use this method to fetch the trust root ahead of time. /// /// ```rust - /// # use tokio::task::spawn_blocking; /// # use sigstore::trust::sigstore::SigstoreTrustRoot; /// # use sigstore::errors::Result; /// # #[tokio::main] /// # async fn main() -> std::result::Result<(), anyhow::Error> { - /// let repo: Result = spawn_blocking(|| Ok(SigstoreTrustRoot::new(None)?.prefetch()?)).await?; + /// let repo: Result = SigstoreTrustRoot::new(None).await?.prefetch().await; /// // Now, get Fulcio and Rekor trust roots with the returned `SigstoreRootTrust` /// # Ok(()) /// # } /// ``` - pub fn prefetch(self) -> Result { - let _ = self.trusted_root()?; + pub async fn prefetch(self) -> Result { + let _ = self.trusted_root().await?; Ok(self) } @@ -149,16 +153,16 @@ impl SigstoreTrustRoot { } } +#[cfg(not(target_arch = "wasm32"))] +#[async_trait] impl crate::trust::TrustRoot for SigstoreTrustRoot { /// Fetch Fulcio certificates from the given TUF repository or reuse /// the local cache if its contents are not outdated. /// /// The contents of the local cache are updated when they are outdated. - /// - /// **Warning:** this method needs special handling when invoked from - /// an async function because it performs blocking operations. - fn fulcio_certs(&self) -> Result> { - let root = self.trusted_root()?; + #[cfg(not(target_arch = "wasm32"))] + async fn fulcio_certs(&self) -> Result> { + let root = self.trusted_root().await?; // Allow expired certificates: they may have been active when the // certificate was used to sign. @@ -178,11 +182,8 @@ impl crate::trust::TrustRoot for SigstoreTrustRoot { /// the local cache if it's not outdated. /// /// The contents of the local cache are updated when they are outdated. - /// - /// **Warning:** this method needs special handling when invoked from - /// an async function because it performs blocking operations. - fn rekor_keys(&self) -> Result> { - let root = self.trusted_root()?; + async fn rekor_keys(&self) -> Result> { + let root = self.trusted_root().await?; let keys: Vec<_> = Self::tlog_keys(&root.tlogs).collect(); if keys.len() != 1 { @@ -230,7 +231,7 @@ fn is_timerange_valid(range: Option<&TimeRange>, allow_expired: bool) -> bool { /// /// **Note well:** the `local_file` is updated whenever its contents are /// outdated. -fn fetch_target_or_reuse_local_cache( +async fn fetch_target_or_reuse_local_cache( repository: &tough::Repository, target_name: &TargetName, local_file: Option<&PathBuf>, @@ -242,7 +243,7 @@ fn fetch_target_or_reuse_local_cache( }?; let data = if local_file_outdated { - let data = fetch_target(repository, target_name)?; + let data = fetch_target(repository, target_name).await?; if let Some(path) = local_file { // update the local file to have latest data from the TUF repo fs::write(path, data.clone())?; @@ -259,14 +260,21 @@ fn fetch_target_or_reuse_local_cache( } /// Download a file from a TUF repository -fn fetch_target(repository: &tough::Repository, target_name: &TargetName) -> Result> { - let data: Vec; - match repository.read_target(target_name).map_err(Box::new)? { +async fn fetch_target(repository: &tough::Repository, target_name: &TargetName) -> Result> { + match repository + .read_target(target_name) + .await + .map_err(Box::new)? + { None => Err(SigstoreError::TufTargetNotFoundError( target_name.raw().to_string(), )), - Some(reader) => { - data = read_to_end(reader)?; + Some(mut stream) => { + let mut data = vec![]; + while let Some(d) = stream.next().await { + let mut d = Into::>::into(d.map_err(Box::new)?); + data.append(&mut d); + } Ok(data) } } @@ -302,9 +310,17 @@ fn is_local_file_outdated( } } -/// Gets the goods from a read and makes a Vec -fn read_to_end(mut reader: R) -> Result> { - let mut v = Vec::new(); - reader.read_to_end(&mut v)?; - Ok(v) +#[cfg(test)] +mod tests { + use crate::trust::sigstore::SigstoreTrustRoot; + + #[tokio::test] + async fn prefetch() { + let _repo = SigstoreTrustRoot::new(None) + .await + .expect("initialize SigstoreRepository") + .prefetch() + .await + .expect("prefetch"); + } } From 062ae7932e00c10f9933062520bfc10830bbeeb8 Mon Sep 17 00:00:00 2001 From: Flavio Castelli Date: Wed, 27 Mar 2024 16:04:07 +0100 Subject: [PATCH 24/25] Tag the 0.9.0 release == What's Changed * sign: init by @jleightcap in https://github.com/sigstore/sigstore-rs/pull/310 * cargo audit: ignore RUSTSEC-2023-0071 by @jleightcap in https://github.com/sigstore/sigstore-rs/pull/321 * chore(deps): Update json-syntax requirement from 0.9.6 to 0.10.0 by @dependabot in https://github.com/sigstore/sigstore-rs/pull/319 * chore(deps): Update cached requirement from 0.46.0 to 0.47.0 by @dependabot in https://github.com/sigstore/sigstore-rs/pull/323 * chore(deps): Update serial_test requirement from 2.0.0 to 3.0.0 by @dependabot in https://github.com/sigstore/sigstore-rs/pull/322 * dep: update rustls-webpki, fold in pki_types by @jleightcap in https://github.com/sigstore/sigstore-rs/pull/324 * chore(deps): Update cached requirement from 0.47.0 to 0.48.0 by @dependabot in https://github.com/sigstore/sigstore-rs/pull/325 * chore(deps): Update json-syntax requirement from 0.10.0 to 0.11.1 by @dependabot in https://github.com/sigstore/sigstore-rs/pull/327 * chore(deps): Update cached requirement from 0.48.0 to 0.49.2 by @dependabot in https://github.com/sigstore/sigstore-rs/pull/329 * chore(deps): Update json-syntax requirement from 0.11.1 to 0.12.2 by @dependabot in https://github.com/sigstore/sigstore-rs/pull/330 * lint: fix lint error of chrono and tokio by @Xynnn007 in https://github.com/sigstore/sigstore-rs/pull/334 * chore(deps): Update base64 requirement from 0.21.0 to 0.22.0 by @dependabot in https://github.com/sigstore/sigstore-rs/pull/332 * The `Repository` trait and `ManualRepository` struct no longer require a feature flag by @tannaurus in https://github.com/sigstore/sigstore-rs/pull/331 * chore(deps): Bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in https://github.com/sigstore/sigstore-rs/pull/336 * chore(deps): Update reqwest requirement from 0.11 to 0.12 by @dependabot in https://github.com/sigstore/sigstore-rs/pull/341 * update tough dep by @astoycos in https://github.com/sigstore/sigstore-rs/pull/340 == New Contributors * @tannaurus made their first contribution in https://github.com/sigstore/sigstore-rs/pull/331 * @astoycos made their first contribution in https://github.com/sigstore/sigstore-rs/pull/340 **Full Changelog**: https://github.com/sigstore/sigstore-rs/compare/v0.8.0...v0.9.0 Signed-off-by: Flavio Castelli --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 944b534324..86adfec55d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "sigstore" description = "An experimental crate to interact with sigstore" -version = "0.8.0" +version = "0.9.0" edition = "2021" authors = ["sigstore-rs developers"] license = "Apache-2.0" From cba52fe158ac49a628608ce09afd52819872de29 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Apr 2024 19:36:08 +0000 Subject: [PATCH 25/25] chore(deps): Update oci-distribution requirement from 0.10 to 0.11 Updates the requirements on [oci-distribution](https://github.com/krustlet/oci-distribution) to permit the latest version. - [Release notes](https://github.com/krustlet/oci-distribution/releases) - [Commits](https://github.com/krustlet/oci-distribution/compare/v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: oci-distribution dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 86adfec55d..007981d74b 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -84,7 +84,7 @@ elliptic-curve = { version = "0.13.5", features = ["arithmetic", "pem"] } futures = "0.3" futures-util = { version = "0.3.30", optional = true } lazy_static = "1.4.0" -oci-distribution = { version = "0.10", default-features = false, optional = true } +oci-distribution = { version = "0.11", default-features = false, optional = true } olpc-cjson = "0.1" openidconnect = { version = "3.0", default-features = false, features = [ "reqwest",