Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support for multiple TUF repo caches #941

Merged
merged 1 commit into from
Jan 10, 2024
Merged

support for multiple TUF repo caches #941

merged 1 commit into from
Jan 10, 2024

Conversation

bdehamer
Copy link
Collaborator

Makes a number of changes to the way that the local TUF cache is managed

Support for multiple repositories

The directory structure of the local TUF cache has been re-organized to support working with multiple TUF repositories without the need to purge the cache.

Previously, the local TUF cache was structured as follows:

.
├── remote.json
├── root.json
├── snapshot.json
├── targets
│   └── trusted_root.json
├── targets.json
└── timestamp.json

With this layout we could only cache the metadata/targets for a single TUF repository at a time. Working with a different TUF repo would require that the existing content be overwritten.

The new cache layout is as follows:

.
└── tuf-repo-cdn.sigstore.dev
    ├── root.json
    ├── snapshot.json
    ├── targets
    │   └── trusted_root.json
    ├── targets.json
    └── timestamp.json

With this scheme the metadata/targets are organized under a directory which identifies the remote repository from which those files were originally loaded.

Note that the old implementation used the remote.json file to identify the remote repository which was currently loaded into the cache. This file is no longer needed as the hostname of the remote repository is part of the directory structure.

Cache seed refactoring

To simplify set-up for the end-user, sigstore-js comes bundled with the current root.json for the Sigstore public-good TUF repository. This root metadata file is necessary to bootstrap any interaction with the Sigstore TUF repository.

Previously, the Sigstore public-good root.json was packaged in the @sigstore/tuf package as a static asset (an extra file that was added to the package at build time). This scheme of bundling non-code assets into the package causes some problems for projects which are using ncc to compile sigstore-js into a single JavaScript file (commonly done when building GitHub Actions).

To ensure compatibility with ncc, the seed root.json has been moved to a constant read from a TypeScript file. To ensure that we maintain byte-level compatibility with the source root.json the contents are base64-encoded. This will add some complexity to the process of keeping this file up-to-date (it's no longer sufficient to simply copy the file from the remote repository), but should eliminate any of the issues we've experienced when trying to make the library work with ncc.

Embed TUF targets

Embeds TUF targets are part of the cache seed data. Takes advantage of the fact that targets like trusted_root.json don't change very often and allows clients to use them without needing to download them from the remote TUF repository. The targets are still verified agains the other TUF metadata but, assuming everything is still valid, it eliminatesa fetch from the remote repository (closes #398).

@bdehamer bdehamer requested a review from a team as a code owner January 10, 2024 00:18
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jan 10, 2024
edited
Loading

🦋 Changeset detected

Latest commit: 7dcfe86

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sigstore/tuf Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@bdehamer bdehamer force-pushed the bdehamer/sigstore-tuf branch from ab16b29 to ecc3a70 Compare January 10, 2024 00:19
@bdehamer bdehamer requested a review from ejahnGithub January 10, 2024 00:19
@bdehamer bdehamer force-pushed the bdehamer/sigstore-tuf branch 4 times, most recently from 87f4626 to e54ff56 Compare January 10, 2024 00:38
@bdehamer bdehamer closed this Jan 10, 2024
@bdehamer bdehamer reopened this Jan 10, 2024
@bdehamer bdehamer closed this Jan 10, 2024
@bdehamer bdehamer reopened this Jan 10, 2024
@bdehamer bdehamer marked this pull request as draft January 10, 2024 00:43
@bdehamer bdehamer force-pushed the bdehamer/sigstore-tuf branch from e54ff56 to 5fdfb05 Compare January 10, 2024 16:29
@bdehamer
support for multiple TUF repo caches
7dcfe86 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
@bdehamer bdehamer force-pushed the bdehamer/sigstore-tuf branch from 5fdfb05 to 7dcfe86 Compare January 10, 2024 16:31
@bdehamer bdehamer marked this pull request as ready for review January 10, 2024 16:35
ejahnGithub
ejahnGithub approved these changes Jan 10, 2024
View reviewed changes
Copy link
Contributor

@ejahnGithub ejahnGithub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@bdehamer bdehamer merged commit 4471a4d into main Jan 10, 2024
26 checks passed
@bdehamer bdehamer deleted the bdehamer/sigstore-tuf branch January 10, 2024 20:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ejahnGithub ejahnGithub ejahnGithub approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Embed TUF targets to minimize downloads
2 participants
@bdehamer @ejahnGithub