sigstore-java icon indicating copy to clipboard operation
sigstore-java copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Pinned Fulcio and Rekor root certs should be updatable via TUF

Open patflynn opened this issue 3 years ago • 4 comments

Currently we have statically included the Rekor and Fulcio public keys into the library. These keys should be updatable via TUF.

patflynn avatar Jul 11 '22 13:07 patflynn

Here is a list of follow on items that I need to do:

  • [x] Handle upcoming addition of PEM headers to role public keys. (ex)[https://github.com/sigstore/sigstore/compare/main...asraa:sigstore:test-migrate-root?expand=1]
  • [x] Implement local store interface to replace direct filesystem read/write
  • [x] Implement snapshot update
  • [x] Implement timestamp update
  • [x] Implement target updates
  • [x] move to consistent snapshots
  • [ ] add support for creating/managing map.json. I suspect we want to isolate our map.json repos from other clients.
  • [ ] API for fetching TUF targets (rekor and fulcio public keys) with meta support for service url -> root mapping. See client design (here)[https://docs.google.com/document/d/1QWBvpwYxOy9njAmd8vpizNQpPti9rd5ugVhji0r3T4c/edit]
  • [ ] client should have configurable timeouts

Obviously as we add more resource types we need to refactor. The good news is most of the weirdness in the parsing and verification has been tackled so the rest of the resources should be pretty quick. (famous last words).

patflynn avatar Sep 09 '22 19:09 patflynn

The question is how the default caching should work. It would be weird if every signing would require TUF update. On the other hand, if we claim $HOME/.sigstore-java/caches/tuf, then we would need to plan for concurrent access (e.g. multiple sigstore-java trying to update TUF concurrently). On the other hand, it might be fun to have cross-ecosystem TUF cache, so the cache folder could be like .sigstore/caches/tuf

vlsi avatar Jan 28 '23 16:01 vlsi

@vlsi take a look at https://docs.google.com/document/d/1QWBvpwYxOy9njAmd8vpizNQpPti9rd5ugVhji0r3T4c/edit for the way the local store is supposed to work. We expect to store the local cache under ~/.sigstore by default and then there's going to probalby be a sub-directory per client-spec (map.json), that we would probably create from the client.

patflynn avatar Jan 30 '23 20:01 patflynn

done!

loosebazooka avatar Sep 20 '23 18:09 loosebazooka