Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add digest to targets metadata directly #170

Merged
merged 18 commits into from
Jan 19, 2022
Merged

Add digest to targets metadata directly #170

merged 18 commits into from
Jan 19, 2022

Conversation

mnm678
Copy link
Collaborator

@mnm678 mnm678 commented Oct 22, 2021
edited
Loading

Allows users of go-tuf to sign oci images or other non-local targets by directly providing the hash and length of these artifacts. Solves #165

cc @ethan-lowman-dd @trishankatdatadog @sudo-bmitch

trishankatdatadog
trishankatdatadog reviewed Oct 28, 2021
View reviewed changes
repo.go Outdated Show resolved Hide resolved
repo.go Outdated Show resolved Hide resolved
@mnm678
Copy link
Collaborator Author

mnm678 commented Oct 28, 2021

hmm, the Ubuntu build is failing to install snappy. I don't think that relates to this pr, but I'm not sure what's causing it.

@joshuagl
Copy link
Member

The build is failing in go fmt, which only runs on Linux (i.e. Ubuntu), see

go-tuf/.github/workflows/build.yml

Line 24 in fc0190d

- name: Format Unix

If I run go fmt locally on a clone of this branch it reformats repo_test.go thus:

diff --git a/repo_test.go b/repo_test.go
index bc55210..c764162 100644
--- a/repo_test.go
+++ b/repo_test.go
@@ -1684,7 +1684,7 @@ func (rs *RepoSuite) TestBadAddOrUpdateSignatures(c *C) {
        checkSigIDs("root.json")
 }

-func (rs *RepoSuite) TestSignDigest(c *C){
+func (rs *RepoSuite) TestSignDigest(c *C) {
        files := map[string][]byte{"foo.txt": []byte("foo")}
        local := MemoryStore(make(map[string]json.RawMessage), files)
        r, err := NewRepo(local)
@@ -1708,7 +1708,7 @@ func (rs *RepoSuite) TestSignDigest(c *C){
        c.Assert(err, IsNil)

        targets, err := r.targets()
-               c.Assert(err, IsNil)
+       c.Assert(err, IsNil)
        c.Assert(targets.Targets["sha256:bc11b176a293bb341a0f2d0d226f52e7fcebd186a7c4dfca5fc64f305f06b94c"].FileMeta.Length, Equals, size)
        c.Assert(targets.Targets["sha256:bc11b176a293bb341a0f2d0d226f52e7fcebd186a7c4dfca5fc64f305f06b94c"].FileMeta.Hashes["sha256"], DeepEquals, hex_digest_bytes)

ethan-lowman-dd
ethan-lowman-dd reviewed Nov 17, 2021
View reviewed changes
repo.go Outdated Show resolved Hide resolved
repo.go Outdated Show resolved Hide resolved
repo.go Outdated Show resolved Hide resolved
repo.go Outdated Show resolved Hide resolved
repo.go Outdated Show resolved Hide resolved
repo.go Outdated Show resolved Hide resolved
@mnm678
Copy link
Collaborator Author

mnm678 commented Nov 17, 2021

Thank for the review @ethan-lowman-dd!

@coveralls
Copy link

coveralls commented Nov 29, 2021
edited
Loading

Pull Request Test Coverage Report for Build 1719253116

  • 26 of 41 (63.41%) changed or added relevant lines in 2 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.1%) to 70.28%
Changes Missing Coverage Covered Lines Changed/Added Lines %
repo.go 17 24 70.83%
client/client.go 9 17 52.94%
Totals Coverage Status
Change from base Build 1695351458: -0.1%
Covered Lines: 2159
Relevant Lines: 3072
💛 - Coveralls

@mnm678
Copy link
Collaborator Author

mnm678 commented Nov 29, 2021

I added the client verification and fixed the test failures, so I think this is ready for another review @ethan-lowman-dd or @trishankatdatadog

@trishankatdatadog
Copy link
Member

I added the client verification and fixed the test failures, so I think this is ready for another review @ethan-lowman-dd or @trishankatdatadog

Awesome! Ethan, would you please help? 🙂

ethan-lowman-dd
ethan-lowman-dd reviewed Dec 2, 2021
View reviewed changes
repo.go Outdated Show resolved Hide resolved
repo.go Outdated Show resolved Hide resolved
repo.go Outdated Show resolved Hide resolved
repo.go Outdated Show resolved Hide resolved
ethan-lowman-dd
ethan-lowman-dd reviewed Dec 2, 2021
View reviewed changes
client/client.go Show resolved Hide resolved
repo.go Show resolved Hide resolved
repo.go Outdated Show resolved Hide resolved
ethan-lowman-dd
ethan-lowman-dd previously approved these changes Dec 3, 2021
View reviewed changes
trishankatdatadog
trishankatdatadog suggested changes Dec 3, 2021
View reviewed changes
repo.go Show resolved Hide resolved
repo.go Show resolved Hide resolved
repo.go Outdated Show resolved Hide resolved
@mnm678 mnm678 mentioned this pull request Dec 6, 2021
Closed
@mnm678 mnm678 requested a review from asraa December 14, 2021 16:21
@mnm678
Copy link
Collaborator Author

mnm678 commented Jan 6, 2022

ping @trishankatdatadog you're marked as requesting changes. Do the latest commits address those?

asraa
asraa reviewed Jan 19, 2022
View reviewed changes
client/client.go Outdated Show resolved Hide resolved
repo.go Outdated Show resolved Hide resolved
@trishankatdatadog
Copy link
Member

ping @trishankatdatadog you're marked as requesting changes. Do the latest commits address those?

Will review today during our meeting. Thanks!

@mnm678
Add digest to targets metadata directly
821edfc 
This commit allows users of go-tuf to sign oci images or other
non-local targets by directly providing the hash and length of
these artifacts.

Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678
dynamically determine hash algorithm in AddDigestTarget
6c799bb 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678
Add verification of digest signatures
89ce497 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678
Update digest delegation based on pr feedback
99993af 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678
fix formatting
ae412af 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678
add client test for VerifyDigest
7eb4419 
Signed-off-by: Marina Moore <mnm678@gmail.com>
mnm678 and others added 11 commits January 19, 2022 11:57
@mnm678
allow verifydigest to have a path
6829ff4 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678 @ethan-lowman-dd
Update repo.go
1db34a2 
Co-authored-by: Ethan Lowman <53835328+ethan-lowman-dd@users.noreply.github.com>
@mnm678
Add and verify non-oci digests
15495f4 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678
fix test
387ed15 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678
fix go vet errors
3e8da13 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678
AddDigestTargets -> AddTargetsWithDigest
be54bcb 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678
AddDigestTargets -> AddTargetsWithDigest
5a8e8b7 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678
fix go vet
685fb7c 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678
fix static check
a58a1bd 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678
update function signatures for VerifyDigest, AddTargetsWithDigest
06228a9 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678
use topLevelTargets() instead of targets()
3088a24 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@mnm678
Copy link
Collaborator Author

mnm678 commented Jan 19, 2022

Thanks @asraa. I addressed your comments and rebased for some of the delegations pr changes.

@mnm678
bug fix
7924729 
Signed-off-by: Marina Moore <mnm678@gmail.com>
@trishankatdatadog trishankatdatadog merged commit b072577 into theupdateframework:master Jan 19, 2022
@znewman01 znewman01 mentioned this pull request Nov 14, 2022
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asraa asraa asraa approved these changes

@trishankatdatadog trishankatdatadog trishankatdatadog approved these changes

@ethan-lowman-dd ethan-lowman-dd ethan-lowman-dd left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@mnm678 @joshuagl @coveralls @trishankatdatadog @asraa @ethan-lowman-dd