From bd73b0fc5fc391bc2ac9cb811bde3e856c57d200 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Thu, 11 Jan 2024 10:06:07 -0800 Subject: [PATCH] add tufForceCache to client and CLI Signed-off-by: Brian DeHamer --- .changeset/long-jobs-explain.md | 5 +++ .changeset/polite-numbers-wait.md | 5 +++ .changeset/poor-radios-sleep.md | 5 +++ packages/cli/README.md | 60 +++++++++++++++++-------- packages/cli/src/commands/initialize.ts | 5 +++ packages/cli/src/commands/verify.ts | 7 +++ packages/client/src/config.ts | 1 + packages/client/src/sigstore.ts | 1 + 8 files changed, 70 insertions(+), 19 deletions(-) create mode 100644 .changeset/long-jobs-explain.md create mode 100644 .changeset/polite-numbers-wait.md create mode 100644 .changeset/poor-radios-sleep.md diff --git a/.changeset/long-jobs-explain.md b/.changeset/long-jobs-explain.md new file mode 100644 index 00000000..8de5501c --- /dev/null +++ b/.changeset/long-jobs-explain.md @@ -0,0 +1,5 @@ +--- +"@sigstore/cli": minor +--- + +Add `tuf-force-cache` flag to `verify` command diff --git a/.changeset/polite-numbers-wait.md b/.changeset/polite-numbers-wait.md new file mode 100644 index 00000000..bfdda04f --- /dev/null +++ b/.changeset/polite-numbers-wait.md @@ -0,0 +1,5 @@ +--- +"@sigstore/cli": minor +--- + +Add `cache-path` flag to `initialize` command diff --git a/.changeset/poor-radios-sleep.md b/.changeset/poor-radios-sleep.md new file mode 100644 index 00000000..a1b8bb02 --- /dev/null +++ b/.changeset/poor-radios-sleep.md @@ -0,0 +1,5 @@ +--- +"sigstore": minor +--- + +Add `tufForceCache` flag to `VerifyOptions` type diff --git a/packages/cli/README.md b/packages/cli/README.md index 776ca5ab..b4f503ef 100644 --- a/packages/cli/README.md +++ b/packages/cli/README.md @@ -9,7 +9,7 @@ $ npm install -g @sigstore/cli $ sigstore COMMAND running command... $ sigstore (--version) -@sigstore/cli/0.3.0 darwin-arm64 node-v18.12.1 +@sigstore/cli/0.5.0 darwin-arm64 node-v18.12.1 $ sigstore --help [COMMAND] USAGE $ sigstore COMMAND @@ -37,18 +37,19 @@ ARGUMENTS FILE file to attest FLAGS - -o, --output-file= write output to file - -t, --payload-type= [default: application/vnd.in-toto+json] MIME or content type to apply to the DSSE - envelope - --fulcio-url= [default: https://fulcio.sigstore.dev] URL to the Sigstore PKI server - --oidc-client-id= [default: sigstore] OIDC client ID for application - --oidc-client-secret= OIDC client secret for application - --oidc-issuer= [default: https://oauth2.sigstore.dev/auth] OIDC provider to be used to issue ID token - --oidc-redirect-url= OIDC redirect URL - --rekor-url= [default: https://rekor.sigstore.dev] URL to the Rekor transparency log - --timeout= [default: 5] timeout in seconds for API requests - --[no-]tlog-upload whether or not to upload entry to the transparency log - --tsa-server-url= URL to the Timestamping Authority + -o, --output-file= write output to file + -t, --payload-type= [default: application/vnd.in-toto+json] MIME or content type to apply to the DSSE + envelope + --fulcio-url= [default: https://fulcio.sigstore.dev] URL to the Sigstore PKI server + --oidc-client-id= [default: sigstore] OIDC client ID for application + --oidc-client-secret= OIDC client secret for application + --oidc-issuer= [default: https://oauth2.sigstore.dev/auth] OIDC provider to be used to issue ID + token + --oidc-redirect-url= OIDC redirect URL + --rekor-url= [default: https://rekor.sigstore.dev] URL to the Rekor transparency log + --timeout= [default: 5] timeout in seconds for API requests + --[no-]tlog-upload whether or not to upload entry to the transparency log + --tsa-server-url= URL to the Timestamping Authority GLOBAL FLAGS --json Format output as json. @@ -88,12 +89,13 @@ initialize the Sigstore TUF root to retrieve trusted certificates and keys for v ``` USAGE - $ sigstore initialize [--mirror ] [--root ] [--force] + $ sigstore initialize [--mirror ] [--root ] [--cache-path ] [--force] FLAGS - --force force initialization even if the cache already exists - --mirror= [default: https://tuf-repo-cdn.sigstore.dev] URL to the Sigstore TUF repository - --root= path to the initial trusted root. Defaults to the embedded root. + --cache-path= Absolute path to the directory to be used for caching downloaded TUF metadata and targets + --force force initialization even if the cache already exists + --mirror= [default: https://tuf-repo-cdn.sigstore.dev] URL to the Sigstore TUF repository + --root= path to the initial trusted root. Defaults to the embedded root. DESCRIPTION initialize the Sigstore TUF root to retrieve trusted certificates and keys for verification @@ -114,13 +116,33 @@ verify the supplied .sigstore bundle file ``` USAGE $ sigstore verify BUNDLE [--json] [--tlog-threshold ] [--ctlog-threshold ] + [--certificate-identity-email --certificate-issuer ] [--certificate-identity-uri ] + [--tuf-mirror-url ] [--tuf-root-path ] [--tuf-cache-path ] [--tuf-force-cache] [--blob-file + | --blob ] ARGUMENTS BUNDLE bundle to verify FLAGS - --ctlog-threshold= [default: 1] number of certificate transparency log entries required to verify - --tlog-threshold= [default: 1] number of transparency log entries required to verify + --blob= Base64 encoded data to verify. Only required if bundle was not signed using + attest + --blob-file= File containing data to verify. Only required if bundle was not signed using + attest + --certificate-identity-email= Email address which must appear in the signing certificate's Subject Alternative + Name (SAN) extension. Not verified if no value is supplied + --certificate-identity-uri= URI which must appear in the signing certificate's Subject Alternative Name + (SAN) extension. Not verified if no value is supplied + --certificate-issuer= Value that must appear in the signing certificate's issuer extension (OID + 1.3.6.1.4.1.57264.1.1 or 1.3.6.1.4.1.57264.1.8). Not verified if no value is + supplied + --ctlog-threshold= [default: 1] number of certificate transparency log entries required to verify + --tlog-threshold= [default: 1] number of transparency log entries required to verify + --tuf-cache-path= Absolute path to the directory to be used for caching downloaded TUF metadata + and targets + --tuf-force-cache Whether to give precedence to cached, un-expired TUF metadata and targets over + remote versions + --tuf-mirror-url= Base URL for the Sigstore TUF repository + --tuf-root-path= Path to the initial trust root for the TUF repository GLOBAL FLAGS --json Format output as json. diff --git a/packages/cli/src/commands/initialize.ts b/packages/cli/src/commands/initialize.ts index 52888e5c..032c919a 100644 --- a/packages/cli/src/commands/initialize.ts +++ b/packages/cli/src/commands/initialize.ts @@ -16,6 +16,10 @@ export default class Initialize extends Command { description: 'path to the initial trusted root. Defaults to the embedded root.', }), + 'cache-path': Flags.directory({ + description: + 'Absolute path to the directory to be used for caching downloaded TUF metadata and targets', + }), force: Flags.boolean({ description: 'force initialization even if the cache already exists', default: false, @@ -28,6 +32,7 @@ export default class Initialize extends Command { await initTUF({ mirrorURL: flags.mirror, rootPath: flags.root, + cachePath: flags['cache-path'], force: flags.force, }); } diff --git a/packages/cli/src/commands/verify.ts b/packages/cli/src/commands/verify.ts index b3fc164a..a4e2637a 100644 --- a/packages/cli/src/commands/verify.ts +++ b/packages/cli/src/commands/verify.ts @@ -47,6 +47,12 @@ export default class Verify extends Command { description: 'Absolute path to the directory to be used for caching downloaded TUF metadata and targets', }), + 'tuf-force-cache': Flags.boolean({ + description: + 'Whether to give precedence to cached, un-expired TUF metadata and targets over remote versions', + default: false, + required: false, + }), 'blob-file': Flags.file({ description: 'File containing data to verify. Only required if bundle was not signed using attest', @@ -80,6 +86,7 @@ export default class Verify extends Command { tufMirrorURL: flags['tuf-mirror-url'], tufRootPath: flags['tuf-root-path'], tufCachePath: flags['tuf-cache-path'], + tufForceCache: flags['tuf-force-cache'], }; const bundle = await fs diff --git a/packages/client/src/config.ts b/packages/client/src/config.ts index c235cc5c..4ce71801 100644 --- a/packages/client/src/config.ts +++ b/packages/client/src/config.ts @@ -64,6 +64,7 @@ export type VerifyOptions = { tufMirrorURL?: string; tufRootPath?: string; tufCachePath?: string; + tufForceCache?: boolean; } & FetchOptions; export const DEFAULT_RETRY: Retry = { retries: 2 }; diff --git a/packages/client/src/sigstore.ts b/packages/client/src/sigstore.ts index e3187b0c..59ae15f3 100644 --- a/packages/client/src/sigstore.ts +++ b/packages/client/src/sigstore.ts @@ -86,6 +86,7 @@ export async function createVerifier( mirrorURL: options.tufMirrorURL, rootPath: options.tufRootPath, cachePath: options.tufCachePath, + forceCache: options.tufForceCache, retry: options.retry ?? config.DEFAULT_RETRY, timeout: options.timeout ?? config.DEFAULT_TIMEOUT, });