Drop support for online verification #840

Horiodino · 2025-02-19T17:26:14Z

fixes: #792 (comment)

Horiodino · 2025-02-20T14:30:50Z

I don't see much need for unit tests here, but I added them for code coverage.

patzielinski

@Horiodino could you rebase and update (go mod tidy) go.mod and go.sum as needed to allow CI to run?

internal/signerverifier/sigstore/sigstore.go

adityasaky · 2025-02-25T17:21:35Z

fyi: I'm at a conference, so my review will be slightly delayed, apologies.

go.mod

adityasaky · 2025-03-14T20:42:45Z

I'll review this with a private sigstore instance, but eyeballing it, it looks good. :)

s/review/test

adityasaky · 2025-03-18T17:26:52Z

internal/signerverifier/sigstore/sigstore.go

+func (v *Verifier) getTUFRoot() (root.TrustedMaterial, error) {
+	rootFilePath := os.Getenv("SIGSTORE_TRUSTED_ROOT")
+	if rootFilePath == "" {
+		return nil, tuf.ErrNoTrustedRootFound


we should default to the public good instance in this case, since the private sigstore root isn't declared.

I would also use https://github.com/sigstore/sigstore-go/blob/main/pkg/tuf/options.go#L85-L88 so we're still using tuf semantics to bootstrap trust for the root file.

I don't think that's necessary—the DefaultOptions already takes care of that. [Reference]

I would also use https://github.com/sigstore/sigstore-go/blob/main/pkg/tuf/options.go#L85-L88 so we're still using tuf semantics to bootstrap trust for the root file.

Yes, but you return an error before the client is hit, no? In the public good case, we don't need the env var set.

is it correct now ?

adityasaky · 2025-03-21T16:50:45Z

internal/signerverifier/sigstore/sigstore.go

-	// TODO: support custom sigstore TUF root URL
-
-	tufClient, err := sigstoretuf.New(sigstoretuf.DefaultOptions())
+	trustedRootBytes, err := os.ReadFile(rootFilePath)


This is a bit off. Unfortunately, "root" is a bit overloaded here. We want to load the root.json bytes for the TUF repository, that's what's embedded in the sigstore-go library as well for the public good instance. Then, using that TUF root and the TUF client, we want to separately fetch trusted_root.json which is not the same as the TUF root.

TUF root -> https://github.com/sigstore/sigstore-go/blob/main/pkg/tuf/repository/root.json
trusted_root.json -> https://tuf-repo-cdn.sigstore.dev/targets/f44a1b88128e55ebfb62189becbc0fa48d4ec9915c65ac54ba0e46a008b12d5b.trusted_root.json on the public good instance

I suggest you load the TUF root from the env var if it's set. Then override the tuf client's options to set the bytes you loaded instead of the default, embedded tuf root file.

Signed-off-by: Horiodino <[email protected]> use default client opts Signed-off-by: Horiodino <[email protected]> remove unused var Signed-off-by: Horiodino <[email protected]> updated go.mod Signed-off-by: Horiodino <[email protected]> fetch trustedroot.json from env Signed-off-by: Horiodino <[email protected]> use public good instance if SIGSTORE_TRUSTED_ROOT is nil Signed-off-by: Horiodino <[email protected]> updated test case Signed-off-by: Horiodino <[email protected]> updated test case Signed-off-by: Horiodino <[email protected]>

adityasaky · 2025-03-22T22:13:29Z

internal/signerverifier/sigstore/sigstore.go

+		opts := &sigstoretuf.Options{
+			Root:              tufRootBytes,
+			CacheValidity:     sigstoretuf.DefaultOptions().CacheValidity,
+			RepositoryBaseURL: sigstoretuf.DefaultOptions().RepositoryBaseURL,


😬 we need to establish this too, let me see if sigstore-go / initialization puts it someplace we can use in ~/.sigstore.

RepositoryBaseURL ? Yes cant be used try running without that cause errs

Yes, in a private instance, the repository URL will differ. Let me see if the sigstore-go folks have an idea.

gittuf-app-beta · 2025-04-23T16:44:00Z