Skip to content

Commit

Permalink
Merge pull request #792 from flavio/sigstore-fixes
Browse files Browse the repository at this point in the history 
sigstore fixes
  • Loading branch information
@fabriziosestito
fabriziosestito authored Jun 14, 2024
2 parents 61ee2f8 + a84092f commit e9f9733
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 33 deletions.
2 changes: 1 addition & 1 deletion Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM rust:1.70 AS build
FROM rust:1.78 AS build
WORKDIR /usr/src

# Download the target for static linking.
Expand Down
77 changes: 45 additions & 32 deletions src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ pub mod metrics;
pub mod profiling;
pub mod tracing;

use ::tracing::{debug, info, Level};
use ::tracing::{debug, info, warn, Level};
use anyhow::{anyhow, Result};
use axum::{
routing::{get, post},
Expand Down Expand Up @@ -76,42 +76,20 @@ impl PolicyServer {
let (callback_handler_shutdown_channel_tx, callback_handler_shutdown_channel_rx) =
oneshot::channel();

let manual_root = if config.verification_config.is_some() {
if !config.sigstore_cache_dir.exists() {
fs::create_dir_all(&config.sigstore_cache_dir).map_err(|e| {
anyhow!("Cannot create directory to cache sigstore data: {}", e)
})?;
let sigstore_trust_root = match create_sigstore_trustroot(&config).await {
Ok(trust_root) => Some(trust_root),
Err(e) => {
// Do not exit, only policies making use of sigstore's keyless/certificate based signatures will fail
// There are good chances everything is going to work fine in the majority of cases
warn!(?e, "Cannot create Sigstore trust root, verification relying on Rekor and Fulcio will fail");
None
}

let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?;

let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
.fulcio_certs()
.expect("Cannot fetch Fulcio certificates from TUF repository")
.into_iter()
.map(|c| c.into_owned())
.collect();

let manual_root = ManualTrustRoot {
fulcio_certs,
rekor_keys: repo
.rekor_keys()
.expect("Cannot fetch Rekor keys from TUF repository")
.iter()
.map(|k| k.to_vec())
.collect(),
..Default::default()
};

Some(Arc::new(manual_root))
} else {
None
};

let mut callback_handler_builder =
CallbackHandlerBuilder::new(callback_handler_shutdown_channel_rx)
.registry_config(config.sources.clone())
.trust_root(manual_root.clone());
.trust_root(sigstore_trust_root.clone());

let kube_client: Option<kube::Client> = match kube::Client::try_default().await {
Ok(client) => Some(client),
Expand Down Expand Up @@ -146,7 +124,13 @@ impl PolicyServer {
let callback_sender_channel = callback_handler.sender_channel();

// Download policies
let mut downloader = Downloader::new(config.sources.clone(), manual_root.clone()).await?;
let downloader_sigstore_trust_root = if config.verification_config.is_some() {
sigstore_trust_root.clone()
} else {
None
};
let mut downloader =
Downloader::new(config.sources.clone(), downloader_sigstore_trust_root).await?;

let fetched_policies = downloader
.download_policies(
Expand Down Expand Up @@ -302,3 +286,32 @@ fn precompile_policies(
})
.collect()
}

async fn create_sigstore_trustroot(config: &Config) -> Result<Arc<ManualTrustRoot<'static>>> {
if !config.sigstore_cache_dir.exists() {
fs::create_dir_all(&config.sigstore_cache_dir)
.map_err(|e| anyhow!("Cannot create directory to cache sigstore data: {}", e))?;
}

let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?;

let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
.fulcio_certs()
.expect("Cannot fetch Fulcio certificates from TUF repository")
.into_iter()
.map(|c| c.into_owned())
.collect();

let manual_root = ManualTrustRoot {
fulcio_certs,
rekor_keys: repo
.rekor_keys()
.expect("Cannot fetch Rekor keys from TUF repository")
.iter()
.map(|k| k.to_vec())
.collect(),
..Default::default()
};

Ok(Arc::new(manual_root))
}

0 comments on commit e9f9733

Please sign in to comment.