cosign
cosign copied to clipboard
sigstore
Upgrade to TUF v2 client
Swap the use of the go-tuf v0.7.0 client from sigstore/sigstore to the v2.0.0 client from sigstore/sigstore-go.
This change strictly adds logic to attempt to use the sigstore-go TUF client if possible, and falls back to the old TUF client. The new client can either fetch the trusted_root.json or fetch targets by name, but cannot query targets by custom metadata. Since this is different from the old client and not all deployments use trusted_root.json to rotate keys, environment variables are added so that users can opt into this new behavior. The logic in this change works as follows:
- if a path fo a key is provided by a SIGSTORE_ environment variable, read that file and use it (same as previously)
- if new environment variables TUF_MIRROR, TUF_ROOT_JSON or
TUF_USE_TRUSTED_ROOT are set, use
those to instantiate a TUF v2 client.
- if TUF_MIRROR or TUF_ROOT_JSON are not set but a v2 client is
requested, try reading the mirror from remote.json, which is set by
cosign initialize, and try reading the root.json from the mirror's cache directory which may have been created by a previous TUF v2 run. Otherwise, use the default public mirror and embedded root.json.
- if TUF_MIRROR or TUF_ROOT_JSON are not set but a v2 client is
requested, try reading the mirror from remote.json, which is set by
- if TUF v2 was not opted into by setting an environment variable, fallback to the v1 client
Also not that the use of the "status" field in the custom TUF metadata is removed, as it was only used for human-readable feedback.
TODO:
- [ ] e2e tests - waiting for https://github.com/sigstore/sigstore-go/pull/247 to be merged and percolated into the scaffolding action
Fixes https://github.com/sigstore/cosign/issues/3548
