Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated v1 to support latest version of go-tuf #3597

Closed
wants to merge 9 commits into from
Closed

Updated v1 to support latest version of go-tuf #3597

wants to merge 9 commits into from

Conversation

kommendorkapten
Copy link
Member

Summary

Per the latest TUF updates in Sigstore Public Good instance, the key type is changing for the TUF keys, to keep cosign v1 continue to work I've updated to the latest go-tuf version.

Release Note

  • Updated go-tuf version to v0.7.0
  • Updated sigstore/sigstore to v1.8.0

Documentation

N/A

cpanato and others added 2 commits January 5, 2023 10:23
@cpanato
update builder image that uses go 1.19.4 (sigstore#2521)
d862088 
Signed-off-by: cpanato <ctadeu@gmail.com>

Signed-off-by: cpanato <ctadeu@gmail.com>
@cpanato @AdamKorcz
@codysoyland @haydentherapper
Backport GHSA-vfp6-jrw2-99g9 (sigstore#3364)
ea92927 
* Merge pull request from GHSA-vfp6-jrw2-99g9

* Add limit to number of sigs and attestations

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

* Update pkg/cosign/fetch.go

Co-authored-by: Cody Soyland <codysoyland@gmail.com>
Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>

* Update error message

Signed-off-by: Hayden B <hblauzvern@google.com>

* fix compilation error

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

* Add e2e tests

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

---------

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Signed-off-by: Hayden B <hblauzvern@google.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Co-authored-by: Cody Soyland <codysoyland@gmail.com>
Co-authored-by: Hayden B <hblauzvern@google.com>

* fix missing import

Signed-off-by: cpanato <ctadeu@gmail.com>

* bump golang to 1.19.13

Signed-off-by: cpanato <ctadeu@gmail.com>

* update tests

Signed-off-by: cpanato <ctadeu@gmail.com>

* refactor validate release

Signed-off-by: cpanato <ctadeu@gmail.com>

* pin sigstore/scaffolding/actions/setup to v0.4.13

Signed-off-by: cpanato <ctadeu@gmail.com>

* update ko-local

Signed-off-by: cpanato <ctadeu@gmail.com>

---------

Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Signed-off-by: Hayden B <hblauzvern@google.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Signed-off-by: cpanato <ctadeu@gmail.com>
Co-authored-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Co-authored-by: Cody Soyland <codysoyland@gmail.com>
Co-authored-by: Hayden B <hblauzvern@google.com>
@codecov Codecov
Copy link

codecov bot commented Mar 13, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 1.57480% with 125 lines in your changes are missing coverage. Please review.

Project coverage is 29.75%. Comparing base (43bde0e) to head (fbe758d).

❗ Current head fbe758d differs from pull request most recent head be9bf89. Consider uploading reports for the commit be9bf89 to get more accurate results

Files Patch % Lines
cmd/cosign/cli/tuf_policy.go 0.00% 117 Missing ⚠️
cmd/cosign/cli/policy_init.go 0.00% 7 Missing ⚠️
cmd/cosign/cli/verify/verify_blob_attestation.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##           1.0-fork    #3597      +/-   ##
============================================
- Coverage     30.16%   29.75%   -0.42%     
============================================
  Files           136      137       +1     
  Lines          8436     8553     +117     
============================================
  Hits           2545     2545              
- Misses         5561     5678     +117     
  Partials        330      330

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

kommendorkapten
kommendorkapten commented Mar 13, 2024
View reviewed changes
Makefile
@@ -100,7 +100,7 @@ lint: golangci-lint ## Run golangci-lint linter
$(GOLANGCI_LINT_BIN) run -n

test:
go test $(shell go list ./... | grep -v third_party/)
GODEBUG=x509sha1=1 go test $(shell go list ./... | grep -v third_party/)
Copy link
Member Author

@kommendorkapten kommendorkapten Mar 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is needed as some test certs are using SHA-1.

@jku
Copy link
Member

jku commented Mar 13, 2024
edited
Loading

I'm not super familiar with cosign (like what v1 is) but does this mean upgrading cosign to use the go-tuf rewrite?

EDIT: I suppose 0.7 is the release before the rewrite?

@kommendorkapten
Copy link
Member Author

EDIT: I suppose 0.7 is the release before the rewrite?

Correct! This is the last version that is API compatible.

@haydentherapper
Copy link
Contributor

LGTM, just need to rebase off release-1.13 and merge into that branch instead, which should hopefully resolve test failures.

kommendorkapten and others added 7 commits March 14, 2024 10:26
@kommendorkapten
Updated v1 to support latest version of go-tuf
d2a5cce 
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
@kommendorkapten
Udated documentation to be correct
8d86517 
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
@bobcallaway @kommendorkapten
Update sign_test.go
8e59c5e 
swap out deprecated lib

Signed-off-by: Bob Callaway <bobcallaway@users.noreply.github.com>
@bobcallaway @kommendorkapten
Update keys.go
738ffa6 
swap out deprecated lib

Signed-off-by: Bob Callaway <bobcallaway@users.noreply.github.com>
@bobcallaway @kommendorkapten
Update sign_test.go
7cc54fd 
fix gofmt issue

Signed-off-by: Bob Callaway <bobcallaway@users.noreply.github.com>
@bobcallaway @kommendorkapten
Update go.mod
2cb3bd5 
go mod tidy

Signed-off-by: Bob Callaway <bobcallaway@users.noreply.github.com>
@bobcallaway @kommendorkapten
Update validate-release.yml
be9bf89 
free up space ahead of running goreleaser

Signed-off-by: Bob Callaway <bobcallaway@users.noreply.github.com>
@kommendorkapten
Copy link
Member Author

Rebased on release-1.13 now.

@kommendorkapten kommendorkapten mentioned this pull request Mar 14, 2024
Merged
@kommendorkapten kommendorkapten deleted the v1-go-tuf-update branch March 22, 2024 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kommendorkapten @jku @haydentherapper @cpanato @bobcallaway