@@ -13,7 +13,7 @@ pub mod metrics;
1313pub mod profiling;
1414pub mod tracing;
1515
16- use :: tracing:: { debug, info, Level } ;
16+ use :: tracing:: { debug, info, warn , Level } ;
1717use anyhow:: { anyhow, Result } ;
1818use axum:: {
1919 routing:: { get, post} ,
@@ -76,42 +76,20 @@ impl PolicyServer {
7676 let ( callback_handler_shutdown_channel_tx, callback_handler_shutdown_channel_rx) =
7777 oneshot:: channel ( ) ;
7878
79- let manual_root = if config. verification_config . is_some ( ) {
80- if !config. sigstore_cache_dir . exists ( ) {
81- fs:: create_dir_all ( & config. sigstore_cache_dir ) . map_err ( |e| {
82- anyhow ! ( "Cannot create directory to cache sigstore data: {}" , e)
83- } ) ?;
79+ let sigstore_trust_root = match create_sigstore_trustroot ( & config) . await {
80+ Ok ( trust_root) => Some ( trust_root) ,
81+ Err ( e) => {
82+ // Do not exit, only policies making use of sigstore's keyless/certificate based signatures will fail
83+ // There are good chances everything is going to work fine in the majority of cases
84+ warn ! ( ?e, "Cannot create Sigstore trust root, verification relying on Rekor and Fulcio will fail" ) ;
85+ None
8486 }
85-
86- let repo = SigstoreTrustRoot :: new ( Some ( config. sigstore_cache_dir . as_path ( ) ) ) . await ?;
87-
88- let fulcio_certs: Vec < rustls_pki_types:: CertificateDer > = repo
89- . fulcio_certs ( )
90- . expect ( "Cannot fetch Fulcio certificates from TUF repository" )
91- . into_iter ( )
92- . map ( |c| c. into_owned ( ) )
93- . collect ( ) ;
94-
95- let manual_root = ManualTrustRoot {
96- fulcio_certs,
97- rekor_keys : repo
98- . rekor_keys ( )
99- . expect ( "Cannot fetch Rekor keys from TUF repository" )
100- . iter ( )
101- . map ( |k| k. to_vec ( ) )
102- . collect ( ) ,
103- ..Default :: default ( )
104- } ;
105-
106- Some ( Arc :: new ( manual_root) )
107- } else {
108- None
10987 } ;
11088
11189 let mut callback_handler_builder =
11290 CallbackHandlerBuilder :: new ( callback_handler_shutdown_channel_rx)
11391 . registry_config ( config. sources . clone ( ) )
114- . trust_root ( manual_root . clone ( ) ) ;
92+ . trust_root ( sigstore_trust_root . clone ( ) ) ;
11593
11694 let kube_client: Option < kube:: Client > = match kube:: Client :: try_default ( ) . await {
11795 Ok ( client) => Some ( client) ,
@@ -146,7 +124,13 @@ impl PolicyServer {
146124 let callback_sender_channel = callback_handler. sender_channel ( ) ;
147125
148126 // Download policies
149- let mut downloader = Downloader :: new ( config. sources . clone ( ) , manual_root. clone ( ) ) . await ?;
127+ let downloader_sigstore_trust_root = if config. verification_config . is_some ( ) {
128+ sigstore_trust_root. clone ( )
129+ } else {
130+ None
131+ } ;
132+ let mut downloader =
133+ Downloader :: new ( config. sources . clone ( ) , downloader_sigstore_trust_root) . await ?;
150134
151135 let fetched_policies = downloader
152136 . download_policies (
@@ -302,3 +286,32 @@ fn precompile_policies(
302286 } )
303287 . collect ( )
304288}
289+
290+ async fn create_sigstore_trustroot ( config : & Config ) -> Result < Arc < ManualTrustRoot < ' static > > > {
291+ if !config. sigstore_cache_dir . exists ( ) {
292+ fs:: create_dir_all ( & config. sigstore_cache_dir )
293+ . map_err ( |e| anyhow ! ( "Cannot create directory to cache sigstore data: {}" , e) ) ?;
294+ }
295+
296+ let repo = SigstoreTrustRoot :: new ( Some ( config. sigstore_cache_dir . as_path ( ) ) ) . await ?;
297+
298+ let fulcio_certs: Vec < rustls_pki_types:: CertificateDer > = repo
299+ . fulcio_certs ( )
300+ . expect ( "Cannot fetch Fulcio certificates from TUF repository" )
301+ . into_iter ( )
302+ . map ( |c| c. into_owned ( ) )
303+ . collect ( ) ;
304+
305+ let manual_root = ManualTrustRoot {
306+ fulcio_certs,
307+ rekor_keys : repo
308+ . rekor_keys ( )
309+ . expect ( "Cannot fetch Rekor keys from TUF repository" )
310+ . iter ( )
311+ . map ( |k| k. to_vec ( ) )
312+ . collect ( ) ,
313+ ..Default :: default ( )
314+ } ;
315+
316+ Ok ( Arc :: new ( manual_root) )
317+ }
0 commit comments