From 7bc1e0c1972d375093fc0a99940176607a23ed22 Mon Sep 17 00:00:00 2001
From: Flavio Castelli <fcastelli@suse.com>
Date: Thu, 13 Jun 2024 14:35:54 +0200
Subject: [PATCH 1/2] chore(deps): update Dockerfile used by local builds

Use latest version of Rust.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 1cbb9b64..76b25804 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM rust:1.70 AS build
+FROM rust:1.78 AS build
 WORKDIR /usr/src
 
 # Download the target for static linking.

From a84092fa2089a05d7e4c6ef92b03c4d12e70e5a9 Mon Sep 17 00:00:00 2001
From: Flavio Castelli <fcastelli@suse.com>
Date: Thu, 13 Jun 2024 14:36:17 +0200
Subject: [PATCH 2/2] fix: ensure sigstore Trust Root is always fetched

We must always fetch the Sigstore Trust Root, otherwise policies making
use of Sigstore won't be able to do keyless verifications.

Prior to this commit, the Trust Root was fetched only when the policy
integrity verification was turned on.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
---
 src/lib.rs | 77 +++++++++++++++++++++++++++++++-----------------------
 1 file changed, 45 insertions(+), 32 deletions(-)

diff --git a/src/lib.rs b/src/lib.rs
index 1fc9a8ea..6330ae20 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -13,7 +13,7 @@ pub mod metrics;
 pub mod profiling;
 pub mod tracing;
 
-use ::tracing::{debug, info, Level};
+use ::tracing::{debug, info, warn, Level};
 use anyhow::{anyhow, Result};
 use axum::{
     routing::{get, post},
@@ -76,42 +76,20 @@ impl PolicyServer {
         let (callback_handler_shutdown_channel_tx, callback_handler_shutdown_channel_rx) =
             oneshot::channel();
 
-        let manual_root = if config.verification_config.is_some() {
-            if !config.sigstore_cache_dir.exists() {
-                fs::create_dir_all(&config.sigstore_cache_dir).map_err(|e| {
-                    anyhow!("Cannot create directory to cache sigstore data: {}", e)
-                })?;
+        let sigstore_trust_root = match create_sigstore_trustroot(&config).await {
+            Ok(trust_root) => Some(trust_root),
+            Err(e) => {
+                // Do not exit, only policies making use of sigstore's keyless/certificate based signatures will fail
+                // There are good chances everything is going to work fine in the majority of cases
+                warn!(?e, "Cannot create Sigstore trust root, verification relying on Rekor and Fulcio will fail");
+                None
             }
-
-            let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?;
-
-            let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
-                .fulcio_certs()
-                .expect("Cannot fetch Fulcio certificates from TUF repository")
-                .into_iter()
-                .map(|c| c.into_owned())
-                .collect();
-
-            let manual_root = ManualTrustRoot {
-                fulcio_certs,
-                rekor_keys: repo
-                    .rekor_keys()
-                    .expect("Cannot fetch Rekor keys from TUF repository")
-                    .iter()
-                    .map(|k| k.to_vec())
-                    .collect(),
-                ..Default::default()
-            };
-
-            Some(Arc::new(manual_root))
-        } else {
-            None
         };
 
         let mut callback_handler_builder =
             CallbackHandlerBuilder::new(callback_handler_shutdown_channel_rx)
                 .registry_config(config.sources.clone())
-                .trust_root(manual_root.clone());
+                .trust_root(sigstore_trust_root.clone());
 
         let kube_client: Option<kube::Client> = match kube::Client::try_default().await {
             Ok(client) => Some(client),
@@ -146,7 +124,13 @@ impl PolicyServer {
         let callback_sender_channel = callback_handler.sender_channel();
 
         // Download policies
-        let mut downloader = Downloader::new(config.sources.clone(), manual_root.clone()).await?;
+        let downloader_sigstore_trust_root = if config.verification_config.is_some() {
+            sigstore_trust_root.clone()
+        } else {
+            None
+        };
+        let mut downloader =
+            Downloader::new(config.sources.clone(), downloader_sigstore_trust_root).await?;
 
         let fetched_policies = downloader
             .download_policies(
@@ -302,3 +286,32 @@ fn precompile_policies(
         })
         .collect()
 }
+
+async fn create_sigstore_trustroot(config: &Config) -> Result<Arc<ManualTrustRoot<'static>>> {
+    if !config.sigstore_cache_dir.exists() {
+        fs::create_dir_all(&config.sigstore_cache_dir)
+            .map_err(|e| anyhow!("Cannot create directory to cache sigstore data: {}", e))?;
+    }
+
+    let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?;
+
+    let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
+        .fulcio_certs()
+        .expect("Cannot fetch Fulcio certificates from TUF repository")
+        .into_iter()
+        .map(|c| c.into_owned())
+        .collect();
+
+    let manual_root = ManualTrustRoot {
+        fulcio_certs,
+        rekor_keys: repo
+            .rekor_keys()
+            .expect("Cannot fetch Rekor keys from TUF repository")
+            .iter()
+            .map(|k| k.to_vec())
+            .collect(),
+        ..Default::default()
+    };
+
+    Ok(Arc::new(manual_root))
+}