Merge pull request #792 from flavio/sigstore-fixes

sigstore fixes

Author: fabriziosestito

Dockerfile

@@ -1,4 +1,4 @@
-FROM rust:1.70 AS build
+FROM rust:1.78 AS build
 WORKDIR /usr/src
 
 # Download the target for static linking.

src/lib.rs

@@ -13,7 +13,7 @@ pub mod metrics;
 pub mod profiling;
 pub mod tracing;
 
-use ::tracing::{debug, info, Level};
+use ::tracing::{debug, info, warn, Level};
 use anyhow::{anyhow, Result};
 use axum::{
     routing::{get, post},
@@ -76,42 +76,20 @@ impl PolicyServer {
         let (callback_handler_shutdown_channel_tx, callback_handler_shutdown_channel_rx) =
             oneshot::channel();
 
-        let manual_root = if config.verification_config.is_some() {
-            if !config.sigstore_cache_dir.exists() {
-                fs::create_dir_all(&config.sigstore_cache_dir).map_err(|e| {
-                    anyhow!("Cannot create directory to cache sigstore data: {}", e)
-                })?;
+        let sigstore_trust_root = match create_sigstore_trustroot(&config).await {
+            Ok(trust_root) => Some(trust_root),
+            Err(e) => {
+                // Do not exit, only policies making use of sigstore's keyless/certificate based signatures will fail
+                // There are good chances everything is going to work fine in the majority of cases
+                warn!(?e, "Cannot create Sigstore trust root, verification relying on Rekor and Fulcio will fail");
+                None
             }
-
-            let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?;
-
-            let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
-                .fulcio_certs()
-                .expect("Cannot fetch Fulcio certificates from TUF repository")
-                .into_iter()
-                .map(|c| c.into_owned())
-                .collect();
-
-            let manual_root = ManualTrustRoot {
-                fulcio_certs,
-                rekor_keys: repo
-                    .rekor_keys()
-                    .expect("Cannot fetch Rekor keys from TUF repository")
-                    .iter()
-                    .map(|k| k.to_vec())
-                    .collect(),
-                ..Default::default()
-            };
-
-            Some(Arc::new(manual_root))
-        } else {
-            None
         };
 
         let mut callback_handler_builder =
             CallbackHandlerBuilder::new(callback_handler_shutdown_channel_rx)
                 .registry_config(config.sources.clone())
-                .trust_root(manual_root.clone());
+                .trust_root(sigstore_trust_root.clone());
 
         let kube_client: Option<kube::Client> = match kube::Client::try_default().await {
             Ok(client) => Some(client),
@@ -146,7 +124,13 @@ impl PolicyServer {
         let callback_sender_channel = callback_handler.sender_channel();
 
         // Download policies
-        let mut downloader = Downloader::new(config.sources.clone(), manual_root.clone()).await?;
+        let downloader_sigstore_trust_root = if config.verification_config.is_some() {
+            sigstore_trust_root.clone()
+        } else {
+            None
+        };
+        let mut downloader =
+            Downloader::new(config.sources.clone(), downloader_sigstore_trust_root).await?;
 
         let fetched_policies = downloader
             .download_policies(
@@ -302,3 +286,32 @@ fn precompile_policies(
         })
         .collect()
 }
+
+async fn create_sigstore_trustroot(config: &Config) -> Result<Arc<ManualTrustRoot<'static>>> {
+    if !config.sigstore_cache_dir.exists() {
+        fs::create_dir_all(&config.sigstore_cache_dir)
+            .map_err(|e| anyhow!("Cannot create directory to cache sigstore data: {}", e))?;
+    }
+
+    let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?;
+
+    let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
+        .fulcio_certs()
+        .expect("Cannot fetch Fulcio certificates from TUF repository")
+        .into_iter()
+        .map(|c| c.into_owned())
+        .collect();
+
+    let manual_root = ManualTrustRoot {
+        fulcio_certs,
+        rekor_keys: repo
+            .rekor_keys()
+            .expect("Cannot fetch Rekor keys from TUF repository")
+            .iter()
+            .map(|k| k.to_vec())
+            .collect(),
+        ..Default::default()
+    };
+
+    Ok(Arc::new(manual_root))
+}