From a84092fa2089a05d7e4c6ef92b03c4d12e70e5a9 Mon Sep 17 00:00:00 2001 From: Flavio Castelli Date: Thu, 13 Jun 2024 14:36:17 +0200 Subject: [PATCH] fix: ensure sigstore Trust Root is always fetched We must always fetch the Sigstore Trust Root, otherwise policies making use of Sigstore won't be able to do keyless verifications. Prior to this commit, the Trust Root was fetched only when the policy integrity verification was turned on. Signed-off-by: Flavio Castelli --- src/lib.rs | 77 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 45 insertions(+), 32 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index 1fc9a8ea..6330ae20 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -13,7 +13,7 @@ pub mod metrics; pub mod profiling; pub mod tracing; -use ::tracing::{debug, info, Level}; +use ::tracing::{debug, info, warn, Level}; use anyhow::{anyhow, Result}; use axum::{ routing::{get, post}, @@ -76,42 +76,20 @@ impl PolicyServer { let (callback_handler_shutdown_channel_tx, callback_handler_shutdown_channel_rx) = oneshot::channel(); - let manual_root = if config.verification_config.is_some() { - if !config.sigstore_cache_dir.exists() { - fs::create_dir_all(&config.sigstore_cache_dir).map_err(|e| { - anyhow!("Cannot create directory to cache sigstore data: {}", e) - })?; + let sigstore_trust_root = match create_sigstore_trustroot(&config).await { + Ok(trust_root) => Some(trust_root), + Err(e) => { + // Do not exit, only policies making use of sigstore's keyless/certificate based signatures will fail + // There are good chances everything is going to work fine in the majority of cases + warn!(?e, "Cannot create Sigstore trust root, verification relying on Rekor and Fulcio will fail"); + None } - - let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?; - - let fulcio_certs: Vec = repo - .fulcio_certs() - .expect("Cannot fetch Fulcio certificates from TUF repository") - .into_iter() - .map(|c| c.into_owned()) - .collect(); - - let manual_root = ManualTrustRoot { - fulcio_certs, - rekor_keys: repo - .rekor_keys() - .expect("Cannot fetch Rekor keys from TUF repository") - .iter() - .map(|k| k.to_vec()) - .collect(), - ..Default::default() - }; - - Some(Arc::new(manual_root)) - } else { - None }; let mut callback_handler_builder = CallbackHandlerBuilder::new(callback_handler_shutdown_channel_rx) .registry_config(config.sources.clone()) - .trust_root(manual_root.clone()); + .trust_root(sigstore_trust_root.clone()); let kube_client: Option = match kube::Client::try_default().await { Ok(client) => Some(client), @@ -146,7 +124,13 @@ impl PolicyServer { let callback_sender_channel = callback_handler.sender_channel(); // Download policies - let mut downloader = Downloader::new(config.sources.clone(), manual_root.clone()).await?; + let downloader_sigstore_trust_root = if config.verification_config.is_some() { + sigstore_trust_root.clone() + } else { + None + }; + let mut downloader = + Downloader::new(config.sources.clone(), downloader_sigstore_trust_root).await?; let fetched_policies = downloader .download_policies( @@ -302,3 +286,32 @@ fn precompile_policies( }) .collect() } + +async fn create_sigstore_trustroot(config: &Config) -> Result>> { + if !config.sigstore_cache_dir.exists() { + fs::create_dir_all(&config.sigstore_cache_dir) + .map_err(|e| anyhow!("Cannot create directory to cache sigstore data: {}", e))?; + } + + let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?; + + let fulcio_certs: Vec = repo + .fulcio_certs() + .expect("Cannot fetch Fulcio certificates from TUF repository") + .into_iter() + .map(|c| c.into_owned()) + .collect(); + + let manual_root = ManualTrustRoot { + fulcio_certs, + rekor_keys: repo + .rekor_keys() + .expect("Cannot fetch Rekor keys from TUF repository") + .iter() + .map(|k| k.to_vec()) + .collect(), + ..Default::default() + }; + + Ok(Arc::new(manual_root)) +}