@@ -8,10 +8,9 @@ use policy_evaluator::{
8
8
} ,
9
9
policy_metadata:: Metadata ,
10
10
} ;
11
- use sigstore:: trust:: { ManualTrustRoot , TrustRoot } ;
11
+ use sigstore:: trust:: ManualTrustRoot ;
12
12
use std:: {
13
13
collections:: { HashMap , HashSet } ,
14
- fs,
15
14
path:: { Path , PathBuf } ,
16
15
sync:: Arc ,
17
16
} ;
@@ -38,12 +37,11 @@ impl<'v> Downloader<'v> {
38
37
/// sigstore.
39
38
pub async fn new (
40
39
sources : Option < Sources > ,
41
- enable_verification : bool ,
42
- sigstore_cache_dir : Option < PathBuf > ,
40
+ manual_root : Option < Arc < ManualTrustRoot < ' static > > > ,
43
41
) -> Result < Self > {
44
- let verifier = if enable_verification {
42
+ let verifier = if let Some ( manual_root ) = manual_root {
45
43
info ! ( "Fetching sigstore data from remote TUF repository" ) ;
46
- Some ( create_verifier ( sources. clone ( ) , sigstore_cache_dir ) . await ?)
44
+ Some ( create_verifier ( sources. clone ( ) , manual_root ) . await ?)
47
45
} else {
48
46
None
49
47
} ;
@@ -222,41 +220,17 @@ impl<'v> Downloader<'v> {
222
220
/// TUF repository of the sigstore project
223
221
async fn create_verifier < ' v > (
224
222
sources : Option < Sources > ,
225
- sigstore_cache_dir : Option < PathBuf > ,
223
+ manual_root : Arc < ManualTrustRoot < ' static > > ,
226
224
) -> Result < Verifier < ' v > > {
227
- if let Some ( cache_dir) = sigstore_cache_dir. clone ( ) {
228
- if !cache_dir. exists ( ) {
229
- fs:: create_dir_all ( cache_dir)
230
- . map_err ( |e| anyhow ! ( "Cannot create directory to cache sigstore data: {}" , e) ) ?;
231
- }
232
- }
233
-
234
- let repo =
235
- sigstore:: trust:: sigstore:: SigstoreTrustRoot :: new ( sigstore_cache_dir. as_deref ( ) ) . await ?;
236
- let fulcio_certs: Vec < rustls_pki_types:: CertificateDer > = repo
237
- . fulcio_certs ( )
238
- . unwrap ( )
239
- . into_iter ( )
240
- . map ( |c| c. into_owned ( ) )
241
- . collect ( ) ;
242
- let manual_root = ManualTrustRoot {
243
- fulcio_certs : Some ( fulcio_certs) ,
244
- rekor_keys : Some (
245
- repo. rekor_keys ( )
246
- . unwrap ( )
247
- . iter ( )
248
- . map ( |k| k. to_vec ( ) )
249
- . collect ( ) ,
250
- ) ,
251
- } ;
252
- let verifier = Verifier :: new ( sources, Some ( Arc :: new ( manual_root) ) ) . await ?;
225
+ let verifier = Verifier :: new ( sources, Some ( manual_root) ) . await ?;
253
226
254
227
Ok ( verifier)
255
228
}
256
229
257
230
#[ cfg( test) ]
258
231
mod tests {
259
232
use super :: * ;
233
+ use policy_evaluator:: policy_fetcher:: sigstore:: trust:: TrustRoot ;
260
234
use tempfile:: TempDir ;
261
235
262
236
#[ tokio:: test]
@@ -299,7 +273,7 @@ mod tests {
299
273
300
274
let policy_download_dir = TempDir :: new ( ) . expect ( "Cannot create temp dir" ) ;
301
275
302
- let mut downloader = Downloader :: new ( None , true , None ) . await . unwrap ( ) ;
276
+ let mut downloader = Downloader :: new ( None , None ) . await . unwrap ( ) ;
303
277
304
278
let fetched_policies = downloader
305
279
. download_policies (
@@ -340,8 +314,31 @@ mod tests {
340
314
serde_yaml:: from_str ( policies_cfg) . expect ( "Cannot parse policy cfg" ) ;
341
315
342
316
let policy_download_dir = TempDir :: new ( ) . expect ( "Cannot create temp dir" ) ;
317
+ let repo = sigstore:: trust:: sigstore:: SigstoreTrustRoot :: new ( None )
318
+ . await
319
+ . unwrap ( ) ;
320
+
321
+ let fulcio_certs: Vec < rustls_pki_types:: CertificateDer > = repo
322
+ . fulcio_certs ( )
323
+ . expect ( "Cannot fetch Fulcio certificates from TUF repository" )
324
+ . into_iter ( )
325
+ . map ( |c| c. into_owned ( ) )
326
+ . collect ( ) ;
327
+
328
+ let manual_root = ManualTrustRoot {
329
+ fulcio_certs : Some ( fulcio_certs) ,
330
+ rekor_keys : Some (
331
+ repo. rekor_keys ( )
332
+ . expect ( "Cannot fetch Rekor keys from TUF repository" )
333
+ . iter ( )
334
+ . map ( |k| k. to_vec ( ) )
335
+ . collect ( ) ,
336
+ ) ,
337
+ } ;
343
338
344
- let mut downloader = Downloader :: new ( None , true , None ) . await . unwrap ( ) ;
339
+ let mut downloader = Downloader :: new ( None , Some ( Arc :: new ( manual_root) ) )
340
+ . await
341
+ . unwrap ( ) ;
345
342
346
343
let fetched_policies = downloader
347
344
. download_policies (
0 commit comments