diff --git a/Dockerfile b/Dockerfile index 1cbb9b64..76b25804 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM rust:1.70 AS build +FROM rust:1.78 AS build WORKDIR /usr/src # Download the target for static linking. diff --git a/src/lib.rs b/src/lib.rs index 1fc9a8ea..6330ae20 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -13,7 +13,7 @@ pub mod metrics; pub mod profiling; pub mod tracing; -use ::tracing::{debug, info, Level}; +use ::tracing::{debug, info, warn, Level}; use anyhow::{anyhow, Result}; use axum::{ routing::{get, post}, @@ -76,42 +76,20 @@ impl PolicyServer { let (callback_handler_shutdown_channel_tx, callback_handler_shutdown_channel_rx) = oneshot::channel(); - let manual_root = if config.verification_config.is_some() { - if !config.sigstore_cache_dir.exists() { - fs::create_dir_all(&config.sigstore_cache_dir).map_err(|e| { - anyhow!("Cannot create directory to cache sigstore data: {}", e) - })?; + let sigstore_trust_root = match create_sigstore_trustroot(&config).await { + Ok(trust_root) => Some(trust_root), + Err(e) => { + // Do not exit, only policies making use of sigstore's keyless/certificate based signatures will fail + // There are good chances everything is going to work fine in the majority of cases + warn!(?e, "Cannot create Sigstore trust root, verification relying on Rekor and Fulcio will fail"); + None } - - let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?; - - let fulcio_certs: Vec = repo - .fulcio_certs() - .expect("Cannot fetch Fulcio certificates from TUF repository") - .into_iter() - .map(|c| c.into_owned()) - .collect(); - - let manual_root = ManualTrustRoot { - fulcio_certs, - rekor_keys: repo - .rekor_keys() - .expect("Cannot fetch Rekor keys from TUF repository") - .iter() - .map(|k| k.to_vec()) - .collect(), - ..Default::default() - }; - - Some(Arc::new(manual_root)) - } else { - None }; let mut callback_handler_builder = CallbackHandlerBuilder::new(callback_handler_shutdown_channel_rx) .registry_config(config.sources.clone()) - .trust_root(manual_root.clone()); + .trust_root(sigstore_trust_root.clone()); let kube_client: Option = match kube::Client::try_default().await { Ok(client) => Some(client), @@ -146,7 +124,13 @@ impl PolicyServer { let callback_sender_channel = callback_handler.sender_channel(); // Download policies - let mut downloader = Downloader::new(config.sources.clone(), manual_root.clone()).await?; + let downloader_sigstore_trust_root = if config.verification_config.is_some() { + sigstore_trust_root.clone() + } else { + None + }; + let mut downloader = + Downloader::new(config.sources.clone(), downloader_sigstore_trust_root).await?; let fetched_policies = downloader .download_policies( @@ -302,3 +286,32 @@ fn precompile_policies( }) .collect() } + +async fn create_sigstore_trustroot(config: &Config) -> Result>> { + if !config.sigstore_cache_dir.exists() { + fs::create_dir_all(&config.sigstore_cache_dir) + .map_err(|e| anyhow!("Cannot create directory to cache sigstore data: {}", e))?; + } + + let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?; + + let fulcio_certs: Vec = repo + .fulcio_certs() + .expect("Cannot fetch Fulcio certificates from TUF repository") + .into_iter() + .map(|c| c.into_owned()) + .collect(); + + let manual_root = ManualTrustRoot { + fulcio_certs, + rekor_keys: repo + .rekor_keys() + .expect("Cannot fetch Rekor keys from TUF repository") + .iter() + .map(|k| k.to_vec()) + .collect(), + ..Default::default() + }; + + Ok(Arc::new(manual_root)) +}