fix: ensure sigstore Trust Root is always fetched

We must always fetch the Sigstore Trust Root, otherwise policies making use of Sigstore won't be able to do keyless verifications. Prior to this commit, the Trust Root was fetched only when the policy integrity verification was turned on. Signed-off-by: Flavio Castelli <fcastelli@suse.com>
kubewarden · Jun 13, 2024 · a84092f · a84092f
1 parent 7bc1e0c
commit a84092f
Showing 1 changed file with 45 additions and 32 deletions.
diff --git a/src/lib.rs b/src/lib.rs
@@ -13,7 +13,7 @@ pub mod metrics;
 pub mod profiling;
 pub mod tracing;
 
-use ::tracing::{debug, info, Level};
+use ::tracing::{debug, info, warn, Level};
 use anyhow::{anyhow, Result};
 use axum::{
     routing::{get, post},
@@ -76,42 +76,20 @@ impl PolicyServer {
         let (callback_handler_shutdown_channel_tx, callback_handler_shutdown_channel_rx) =
             oneshot::channel();
 
-        let manual_root = if config.verification_config.is_some() {
-            if !config.sigstore_cache_dir.exists() {
-                fs::create_dir_all(&config.sigstore_cache_dir).map_err(|e| {
-                    anyhow!("Cannot create directory to cache sigstore data: {}", e)
-                })?;
+        let sigstore_trust_root = match create_sigstore_trustroot(&config).await {
+            Ok(trust_root) => Some(trust_root),
+            Err(e) => {
+                // Do not exit, only policies making use of sigstore's keyless/certificate based signatures will fail
+                // There are good chances everything is going to work fine in the majority of cases
+                warn!(?e, "Cannot create Sigstore trust root, verification relying on Rekor and Fulcio will fail");
+                None
             }
-
-            let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?;
-
-            let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
-                .fulcio_certs()
-                .expect("Cannot fetch Fulcio certificates from TUF repository")
-                .into_iter()
-                .map(|c| c.into_owned())
-                .collect();
-
-            let manual_root = ManualTrustRoot {
-                fulcio_certs,
-                rekor_keys: repo
-                    .rekor_keys()
-                    .expect("Cannot fetch Rekor keys from TUF repository")
-                    .iter()
-                    .map(|k| k.to_vec())
-                    .collect(),
-                ..Default::default()
-            };
-
-            Some(Arc::new(manual_root))
-        } else {
-            None
         };
 
         let mut callback_handler_builder =
             CallbackHandlerBuilder::new(callback_handler_shutdown_channel_rx)
                 .registry_config(config.sources.clone())
-                .trust_root(manual_root.clone());
+                .trust_root(sigstore_trust_root.clone());
 
         let kube_client: Option<kube::Client> = match kube::Client::try_default().await {
             Ok(client) => Some(client),
@@ -146,7 +124,13 @@ impl PolicyServer {
         let callback_sender_channel = callback_handler.sender_channel();
 
         // Download policies
-        let mut downloader = Downloader::new(config.sources.clone(), manual_root.clone()).await?;
+        let downloader_sigstore_trust_root = if config.verification_config.is_some() {
+            sigstore_trust_root.clone()
+        } else {
+            None
+        };
+        let mut downloader =
+            Downloader::new(config.sources.clone(), downloader_sigstore_trust_root).await?;
 
         let fetched_policies = downloader
             .download_policies(
@@ -302,3 +286,32 @@ fn precompile_policies(
         })
         .collect()
 }
+
+async fn create_sigstore_trustroot(config: &Config) -> Result<Arc<ManualTrustRoot<'static>>> {
+    if !config.sigstore_cache_dir.exists() {
+        fs::create_dir_all(&config.sigstore_cache_dir)
+            .map_err(|e| anyhow!("Cannot create directory to cache sigstore data: {}", e))?;
+    }
+
+    let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?;
+
+    let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
+        .fulcio_certs()
+        .expect("Cannot fetch Fulcio certificates from TUF repository")
+        .into_iter()
+        .map(|c| c.into_owned())
+        .collect();
+
+    let manual_root = ManualTrustRoot {
+        fulcio_certs,
+        rekor_keys: repo
+            .rekor_keys()
+            .expect("Cannot fetch Rekor keys from TUF repository")
+            .iter()
+            .map(|k| k.to_vec())
+            .collect(),
+        ..Default::default()
+    };
+
+    Ok(Arc::new(manual_root))
+}