@@ -13,7 +13,7 @@ pub mod metrics;
13
13
pub mod profiling;
14
14
pub mod tracing;
15
15
16
- use :: tracing:: { debug, info, Level } ;
16
+ use :: tracing:: { debug, info, warn , Level } ;
17
17
use anyhow:: { anyhow, Result } ;
18
18
use axum:: {
19
19
routing:: { get, post} ,
@@ -76,42 +76,20 @@ impl PolicyServer {
76
76
let ( callback_handler_shutdown_channel_tx, callback_handler_shutdown_channel_rx) =
77
77
oneshot:: channel ( ) ;
78
78
79
- let manual_root = if config. verification_config . is_some ( ) {
80
- if !config. sigstore_cache_dir . exists ( ) {
81
- fs:: create_dir_all ( & config. sigstore_cache_dir ) . map_err ( |e| {
82
- anyhow ! ( "Cannot create directory to cache sigstore data: {}" , e)
83
- } ) ?;
79
+ let sigstore_trust_root = match create_sigstore_trustroot ( & config) . await {
80
+ Ok ( trust_root) => Some ( trust_root) ,
81
+ Err ( e) => {
82
+ // Do not exit, only policies making use of sigstore's keyless/certificate based signatures will fail
83
+ // There are good chances everything is going to work fine in the majority of cases
84
+ warn ! ( ?e, "Cannot create Sigstore trust root, verification relying on Rekor and Fulcio will fail" ) ;
85
+ None
84
86
}
85
-
86
- let repo = SigstoreTrustRoot :: new ( Some ( config. sigstore_cache_dir . as_path ( ) ) ) . await ?;
87
-
88
- let fulcio_certs: Vec < rustls_pki_types:: CertificateDer > = repo
89
- . fulcio_certs ( )
90
- . expect ( "Cannot fetch Fulcio certificates from TUF repository" )
91
- . into_iter ( )
92
- . map ( |c| c. into_owned ( ) )
93
- . collect ( ) ;
94
-
95
- let manual_root = ManualTrustRoot {
96
- fulcio_certs,
97
- rekor_keys : repo
98
- . rekor_keys ( )
99
- . expect ( "Cannot fetch Rekor keys from TUF repository" )
100
- . iter ( )
101
- . map ( |k| k. to_vec ( ) )
102
- . collect ( ) ,
103
- ..Default :: default ( )
104
- } ;
105
-
106
- Some ( Arc :: new ( manual_root) )
107
- } else {
108
- None
109
87
} ;
110
88
111
89
let mut callback_handler_builder =
112
90
CallbackHandlerBuilder :: new ( callback_handler_shutdown_channel_rx)
113
91
. registry_config ( config. sources . clone ( ) )
114
- . trust_root ( manual_root . clone ( ) ) ;
92
+ . trust_root ( sigstore_trust_root . clone ( ) ) ;
115
93
116
94
let kube_client: Option < kube:: Client > = match kube:: Client :: try_default ( ) . await {
117
95
Ok ( client) => Some ( client) ,
@@ -146,7 +124,13 @@ impl PolicyServer {
146
124
let callback_sender_channel = callback_handler. sender_channel ( ) ;
147
125
148
126
// Download policies
149
- let mut downloader = Downloader :: new ( config. sources . clone ( ) , manual_root. clone ( ) ) . await ?;
127
+ let downloader_sigstore_trust_root = if config. verification_config . is_some ( ) {
128
+ sigstore_trust_root. clone ( )
129
+ } else {
130
+ None
131
+ } ;
132
+ let mut downloader =
133
+ Downloader :: new ( config. sources . clone ( ) , downloader_sigstore_trust_root) . await ?;
150
134
151
135
let fetched_policies = downloader
152
136
. download_policies (
@@ -302,3 +286,32 @@ fn precompile_policies(
302
286
} )
303
287
. collect ( )
304
288
}
289
+
290
+ async fn create_sigstore_trustroot ( config : & Config ) -> Result < Arc < ManualTrustRoot < ' static > > > {
291
+ if !config. sigstore_cache_dir . exists ( ) {
292
+ fs:: create_dir_all ( & config. sigstore_cache_dir )
293
+ . map_err ( |e| anyhow ! ( "Cannot create directory to cache sigstore data: {}" , e) ) ?;
294
+ }
295
+
296
+ let repo = SigstoreTrustRoot :: new ( Some ( config. sigstore_cache_dir . as_path ( ) ) ) . await ?;
297
+
298
+ let fulcio_certs: Vec < rustls_pki_types:: CertificateDer > = repo
299
+ . fulcio_certs ( )
300
+ . expect ( "Cannot fetch Fulcio certificates from TUF repository" )
301
+ . into_iter ( )
302
+ . map ( |c| c. into_owned ( ) )
303
+ . collect ( ) ;
304
+
305
+ let manual_root = ManualTrustRoot {
306
+ fulcio_certs,
307
+ rekor_keys : repo
308
+ . rekor_keys ( )
309
+ . expect ( "Cannot fetch Rekor keys from TUF repository" )
310
+ . iter ( )
311
+ . map ( |k| k. to_vec ( ) )
312
+ . collect ( ) ,
313
+ ..Default :: default ( )
314
+ } ;
315
+
316
+ Ok ( Arc :: new ( manual_root) )
317
+ }
0 commit comments