Skip to content

Commit e9f9733

Browse files
Merge pull request #792 from flavio/sigstore-fixes
sigstore fixes
2 parents 61ee2f8 + a84092f commit e9f9733

File tree

2 files changed

+46
-33
lines changed

2 files changed

+46
-33
lines changed

Dockerfile

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM rust:1.70 AS build
1+
FROM rust:1.78 AS build
22
WORKDIR /usr/src
33

44
# Download the target for static linking.

src/lib.rs

+45-32
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ pub mod metrics;
1313
pub mod profiling;
1414
pub mod tracing;
1515

16-
use ::tracing::{debug, info, Level};
16+
use ::tracing::{debug, info, warn, Level};
1717
use anyhow::{anyhow, Result};
1818
use axum::{
1919
routing::{get, post},
@@ -76,42 +76,20 @@ impl PolicyServer {
7676
let (callback_handler_shutdown_channel_tx, callback_handler_shutdown_channel_rx) =
7777
oneshot::channel();
7878

79-
let manual_root = if config.verification_config.is_some() {
80-
if !config.sigstore_cache_dir.exists() {
81-
fs::create_dir_all(&config.sigstore_cache_dir).map_err(|e| {
82-
anyhow!("Cannot create directory to cache sigstore data: {}", e)
83-
})?;
79+
let sigstore_trust_root = match create_sigstore_trustroot(&config).await {
80+
Ok(trust_root) => Some(trust_root),
81+
Err(e) => {
82+
// Do not exit, only policies making use of sigstore's keyless/certificate based signatures will fail
83+
// There are good chances everything is going to work fine in the majority of cases
84+
warn!(?e, "Cannot create Sigstore trust root, verification relying on Rekor and Fulcio will fail");
85+
None
8486
}
85-
86-
let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?;
87-
88-
let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
89-
.fulcio_certs()
90-
.expect("Cannot fetch Fulcio certificates from TUF repository")
91-
.into_iter()
92-
.map(|c| c.into_owned())
93-
.collect();
94-
95-
let manual_root = ManualTrustRoot {
96-
fulcio_certs,
97-
rekor_keys: repo
98-
.rekor_keys()
99-
.expect("Cannot fetch Rekor keys from TUF repository")
100-
.iter()
101-
.map(|k| k.to_vec())
102-
.collect(),
103-
..Default::default()
104-
};
105-
106-
Some(Arc::new(manual_root))
107-
} else {
108-
None
10987
};
11088

11189
let mut callback_handler_builder =
11290
CallbackHandlerBuilder::new(callback_handler_shutdown_channel_rx)
11391
.registry_config(config.sources.clone())
114-
.trust_root(manual_root.clone());
92+
.trust_root(sigstore_trust_root.clone());
11593

11694
let kube_client: Option<kube::Client> = match kube::Client::try_default().await {
11795
Ok(client) => Some(client),
@@ -146,7 +124,13 @@ impl PolicyServer {
146124
let callback_sender_channel = callback_handler.sender_channel();
147125

148126
// Download policies
149-
let mut downloader = Downloader::new(config.sources.clone(), manual_root.clone()).await?;
127+
let downloader_sigstore_trust_root = if config.verification_config.is_some() {
128+
sigstore_trust_root.clone()
129+
} else {
130+
None
131+
};
132+
let mut downloader =
133+
Downloader::new(config.sources.clone(), downloader_sigstore_trust_root).await?;
150134

151135
let fetched_policies = downloader
152136
.download_policies(
@@ -302,3 +286,32 @@ fn precompile_policies(
302286
})
303287
.collect()
304288
}
289+
290+
async fn create_sigstore_trustroot(config: &Config) -> Result<Arc<ManualTrustRoot<'static>>> {
291+
if !config.sigstore_cache_dir.exists() {
292+
fs::create_dir_all(&config.sigstore_cache_dir)
293+
.map_err(|e| anyhow!("Cannot create directory to cache sigstore data: {}", e))?;
294+
}
295+
296+
let repo = SigstoreTrustRoot::new(Some(config.sigstore_cache_dir.as_path())).await?;
297+
298+
let fulcio_certs: Vec<rustls_pki_types::CertificateDer> = repo
299+
.fulcio_certs()
300+
.expect("Cannot fetch Fulcio certificates from TUF repository")
301+
.into_iter()
302+
.map(|c| c.into_owned())
303+
.collect();
304+
305+
let manual_root = ManualTrustRoot {
306+
fulcio_certs,
307+
rekor_keys: repo
308+
.rekor_keys()
309+
.expect("Cannot fetch Rekor keys from TUF repository")
310+
.iter()
311+
.map(|k| k.to_vec())
312+
.collect(),
313+
..Default::default()
314+
};
315+
316+
Ok(Arc::new(manual_root))
317+
}

0 commit comments

Comments
 (0)