Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TUF upgrade #485

Merged
merged 3 commits into from
Dec 5, 2024
Merged

TUF upgrade #485

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
29ee8ca
Upgrade tuf (and related dependencies)
jku Dec 3, 2024
7283248
tests: Update tests for new securesystemslib
jku Dec 3, 2024
cf51cb2
Update to some new TUF API
jku Dec 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 13 additions & 15 deletions action-constraints.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@
#
annotated-types==0.7.0
# via pydantic
appdirs==1.4.4
# via sigstore
azure-core==1.32.0
# via
# azure-identity
Expand All @@ -30,9 +28,7 @@ cachetools==5.5.0
certifi==2024.8.30
# via requests
cffi==1.17.1
# via
# cryptography
# pynacl
# via cryptography
charset-normalizer==3.4.0
# via requests
click==8.1.7
Expand Down Expand Up @@ -105,6 +101,8 @@ msal-extensions==1.2.0
# via azure-identity
multidict==6.1.0
# via grpclib
platformdirs==4.3.6
# via sigstore
portalocker==2.10.1
# via msal-extensions
proto-plus==1.25.0
Expand All @@ -123,11 +121,12 @@ pyasn1==0.6.1
# via
# pyasn1-modules
# rsa
# sigstore
pyasn1-modules==0.4.1
# via google-auth
pycparser==2.22
# via cffi
pydantic==2.10.1
pydantic==2.10.2
# via
# id
# sigstore
Expand All @@ -136,13 +135,11 @@ pydantic-core==2.27.1
# via pydantic
pygments==2.18.0
# via rich
pyjwt==2.10.0
pyjwt==2.10.1
# via
# msal
# sigstore
pynacl==1.5.0
# via securesystemslib
pyopenssl==24.2.1
pyopenssl==24.3.0
# via sigstore
python-dateutil==2.9.0.post0
# via
Expand All @@ -156,28 +153,29 @@ requests==2.32.3
# msal
# sigstore
# tuf
rfc8785==0.1.4
# via sigstore
rich==13.9.4
# via sigstore
rsa==4.9
# via google-auth
s3transfer==0.10.4
# via boto3
securesystemslib==0.31.0
securesystemslib==1.2.0
# via
# sigstore
# tuf
# tuf-on-ci (repo/pyproject.toml)
sigstore==2.1.5
sigstore==3.5.3
# via securesystemslib
sigstore-protobuf-specs==0.3.2
# via sigstore
sigstore-rekor-types==0.0.11
sigstore-rekor-types==0.0.13
# via sigstore
six==1.16.0
# via
# azure-core
# python-dateutil
tuf==3.1.1
tuf==5.1.0
# via
# sigstore
# tuf-on-ci (repo/pyproject.toml)
Expand Down
4 changes: 2 additions & 2 deletions repo/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ name = "tuf-on-ci"
description = "TUF-on-CI repository tools, intended to be executed on a CI system"
readme = "README.md"
dependencies = [
"securesystemslib[awskms, azurekms, gcpkms, sigstore, pynacl] ~= 0.31.0",
"tuf ~= 3.1",
"securesystemslib[awskms, azurekms, gcpkms, sigstore] ~= 1.2",
"tuf ~= 5.1",
"click ~= 8.1",
]
requires-python = ">=3.10"
Expand Down
38 changes: 19 additions & 19 deletions repo/tuf_on_ci/_repository.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
import os
import shutil
from dataclasses import dataclass
from datetime import datetime, timedelta
from datetime import UTC, datetime, timedelta
from enum import Enum, unique
from glob import glob

Expand Down Expand Up @@ -222,7 +222,7 @@ def close(self, rolename: str, md: Metadata) -> None:

_, expiry_days = self.signing_expiry_period(rolename)

md.signed.expires = datetime.utcnow() + timedelta(days=expiry_days)
md.signed.expires = datetime.now(UTC) + timedelta(days=expiry_days)

md.signatures.clear()
for key in self._get_keys(rolename):
Expand All @@ -244,9 +244,8 @@ def close(self, rolename: str, md: Metadata) -> None:
md.signatures[key.keyid] = Signature(key.keyid, "")

if rolename in ["timestamp", "snapshot"]:
root_md: Metadata[Root] = self.open("root")
# repository should never write unsigned online roles
root_md.verify_delegate(rolename, md)
self.root().verify_delegate(rolename, md.signed_bytes, md.signatures)

self._write(rolename, md)

Expand Down Expand Up @@ -321,7 +320,7 @@ def open_prev(self, role: str) -> Metadata | None:
return None

def _validate_role(
self, delegator: Metadata, rolename: str
self, delegator: Root | Targets, rolename: str
) -> tuple[bool, str | None]:
"""Validate role compatibility with this repository

Expand All @@ -340,7 +339,7 @@ def _validate_role(
return False, f"Version {md.signed.version} is not valid for {rolename}"

days = md.signed.unrecognized_fields["x-tuf-on-ci-expiry-period"]
if md.signed.expires > datetime.utcnow() + timedelta(days=days):
if md.signed.expires > datetime.now(UTC) + timedelta(days=days):
return False, f"Expiry date is further than expected {days} days ahead"

if isinstance(md.signed, Root):
Expand Down Expand Up @@ -384,7 +383,7 @@ def _validate_role(
# * check that target files in metadata match the files in targets/

try:
delegator.verify_delegate(rolename, md)
delegator.verify_delegate(rolename, md.signed_bytes, md.signatures)
except UnsignedMetadataError:
return False, None

Expand Down Expand Up @@ -483,16 +482,18 @@ def _get_signing_status(
# Find delegating metadata. For root handle the special case of known good
# delegating metadata.
if known_good:
delegator = None
delegator: Root | Targets | None = None
if rolename == "root":
delegator = self.open_prev("root")
root_md = self.open_prev("root")
if root_md:
delegator = root_md.signed
if not delegator:
# Not root role or there is no known-good root metadata yet
return None
elif rolename in ["root", "targets"]:
delegator = self.open("root")
delegator = self.root()
else:
delegator = self.open("targets")
delegator = self.targets()

# Build list of invites to all delegated roles of rolename
delegation_names = []
Expand All @@ -503,7 +504,7 @@ def _get_signing_status(
for delegation_name in delegation_names:
invites.update(self.state.invited_signers_for_role(delegation_name))

role = delegator.signed.get_delegated_role(rolename)
role = delegator.get_delegated_role(rolename)

# Build lists of signed signers and not signed signers
for key in self._get_keys(rolename, known_good):
Expand Down Expand Up @@ -585,15 +586,14 @@ def build(self, metadata_path: str, artifact_path: str | None):

def bump_expiring(self, rolename: str) -> int | None:
"""Create a new version of role if it is about to expire"""
now = datetime.utcnow()
bumped = True

with self.edit(rolename) as signed:
signing_days, _ = self.signing_expiry_period(rolename)
delta = timedelta(days=signing_days)

logger.debug(f"{rolename} signing period starts {signed.expires - delta}")
if now + delta < signed.expires:
if datetime.now(UTC) + delta < signed.expires:
# no need to bump version
bumped = False
raise AbortEdit
Expand Down Expand Up @@ -622,13 +622,13 @@ def update_targets(self, rolename: str) -> bool:

def is_signed(self, rolename: str) -> bool:
"""Return True if role is correctly signed"""
role_md = self.open(rolename)
md = self.open(rolename)
if rolename in ["root", "timestamp", "snapshot", "targets"]:
delegator = self.open("root")
delegator: Root | Targets = self.root()
else:
delegator = self.open("targets")
delegator = self.targets()
try:
delegator.verify_delegate(rolename, role_md)
delegator.verify_delegate(rolename, md.signed_bytes, md.signatures)
except UnsignedMetadataError:
return False

Expand All @@ -639,4 +639,4 @@ def is_in_signing_period(self, rolename: str) -> bool:
role_md = self.open(rolename)
signing_days, _ = self.signing_expiry_period(rolename)
delta = timedelta(days=signing_days)
return datetime.utcnow() >= role_md.signed.expires - delta
return datetime.now(UTC) >= role_md.signed.expires - delta
6 changes: 3 additions & 3 deletions signer/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@ name = "tuf-on-ci-sign"
description = "Signing tools for TUF-on-CI"
readme = "README.md"
dependencies = [
"packaging >= 23.2,< 25.0",
"packaging ~= 24.0",
"platformdirs ~= 4.2",
"securesystemslib[awskms,azurekms,gcpkms,hsm,sigstore] ~= 0.31.0",
"tuf ~= 3.1",
"securesystemslib[awskms,azurekms,gcpkms,hsm,sigstore] ~= 1.2",
"tuf ~= 5.1",
"click ~= 8.1",
]
requires-python = ">=3.9"
Expand Down
4 changes: 2 additions & 2 deletions signer/tuf_on_ci_sign/_signer_repository.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
import os
from contextlib import AbstractContextManager
from dataclasses import dataclass
from datetime import datetime, timedelta
from datetime import datetime, timedelta, timezone
from enum import Enum, unique

import click
Expand Down Expand Up @@ -348,7 +348,7 @@ def close(self, role: str, md: Metadata) -> None:

# Set expiry based on custom metadata
days = md.signed.unrecognized_fields["x-tuf-on-ci-expiry-period"]
md.signed.expires = datetime.utcnow() + timedelta(days=days)
md.signed.expires = datetime.now(timezone.utc) + timedelta(days=days)

# figure out if there are open invites to delegations of this role
open_invites = False
Expand Down
2 changes: 1 addition & 1 deletion signer/tuf_on_ci_sign/delegate.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -260,7 +260,7 @@ def _collect_online_key(user_config: User) -> Key:
if choice == 0:
# This could be generic support, but for now it's a hidden test key.
# key value 1d9a024348e413892aeeb8cc8449309c152f48177200ee61a02ae56f450c6480
uri = "envvar:LOCAL_TESTING_KEY"
uri = f"file2:{os.getenv('TUF_ON_CI_TEST_KEY')}"
pub_key = "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
return SSlibKey(
"fa47289",
Expand Down
7 changes: 4 additions & 3 deletions tests/e2e.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@
# Python dependencies
# * signer: pip install ./signer/
# * repo: pip install ./repo/
# * pynacl: pip install pynacl # for the testing ed25519 key
#
#
# Set DEBUG_TESTS=1 for more visibility. This will leave the temp directories in place.
Expand Down Expand Up @@ -519,7 +518,7 @@ repo_online_sign()

cd $REPO_GIT

if LOCAL_TESTING_KEY=$ONLINE_KEY tuf-on-ci-online-sign --push >> $REPO_DIR/out 2>&1; then
if tuf-on-ci-online-sign --push >> $REPO_DIR/out 2>&1; then
echo "generated=true" >> $REPO_DIR/out
else
echo "generated=false" >> $REPO_DIR/out
Expand Down Expand Up @@ -917,7 +916,9 @@ export TZ="UTC"
WORK_DIR=$(mktemp -d)
SCRIPT_DIR=$(dirname $(readlink -f "$0"))

ONLINE_KEY="1d9a024348e413892aeeb8cc8449309c152f48177200ee61a02ae56f450c6480"
# setup online signing workaround with file based key
export TUF_ON_CI_TEST_KEY=online-test-key
export CRYPTO_SIGNER_PATH_PREFIX=$SCRIPT_DIR

# Run tests
test_basic
Expand Down
2 changes: 1 addition & 1 deletion tests/expected/basic/metadata/1.root.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
"public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
},
"scheme": "ed25519",
"x-tuf-on-ci-online-uri": "envvar:LOCAL_TESTING_KEY"
"x-tuf-on-ci-online-uri": "file2:online-test-key"
}
},
"roles": {
Expand Down
2 changes: 1 addition & 1 deletion tests/expected/delegated/metadata/1.root.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
"public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
},
"scheme": "ed25519",
"x-tuf-on-ci-online-uri": "envvar:LOCAL_TESTING_KEY"
"x-tuf-on-ci-online-uri": "file2:online-test-key"
}
},
"roles": {
Expand Down
2 changes: 1 addition & 1 deletion tests/expected/multi-user-signing/metadata/1.root.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
"public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
},
"scheme": "ed25519",
"x-tuf-on-ci-online-uri": "envvar:LOCAL_TESTING_KEY"
"x-tuf-on-ci-online-uri": "file2:online-test-key"
}
},
"roles": {
Expand Down
2 changes: 1 addition & 1 deletion tests/expected/multi-user-signing/metadata/2.root.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
"public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
},
"scheme": "ed25519",
"x-tuf-on-ci-online-uri": "envvar:LOCAL_TESTING_KEY"
"x-tuf-on-ci-online-uri": "file2:online-test-key"
}
},
"roles": {
Expand Down
2 changes: 1 addition & 1 deletion tests/expected/online-version-bump/metadata/1.root.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
"public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
},
"scheme": "ed25519",
"x-tuf-on-ci-online-uri": "envvar:LOCAL_TESTING_KEY"
"x-tuf-on-ci-online-uri": "file2:online-test-key"
}
},
"roles": {
Expand Down
2 changes: 1 addition & 1 deletion tests/expected/root-key-rotation/metadata/1.root.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
"public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
},
"scheme": "ed25519",
"x-tuf-on-ci-online-uri": "envvar:LOCAL_TESTING_KEY"
"x-tuf-on-ci-online-uri": "file2:online-test-key"
}
},
"roles": {
Expand Down
2 changes: 1 addition & 1 deletion tests/expected/root-key-rotation/metadata/2.root.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
"public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
},
"scheme": "ed25519",
"x-tuf-on-ci-online-uri": "envvar:LOCAL_TESTING_KEY"
"x-tuf-on-ci-online-uri": "file2:online-test-key"
}
},
"roles": {
Expand Down
2 changes: 1 addition & 1 deletion tests/expected/signing-event-creation/metadata/1.root.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
"public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
},
"scheme": "ed25519",
"x-tuf-on-ci-online-uri": "envvar:LOCAL_TESTING_KEY"
"x-tuf-on-ci-online-uri": "file2:online-test-key"
}
},
"roles": {
Expand Down
2 changes: 1 addition & 1 deletion tests/expected/signing-event-creation/metadata/2.root.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
"public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
},
"scheme": "ed25519",
"x-tuf-on-ci-online-uri": "envvar:LOCAL_TESTING_KEY"
"x-tuf-on-ci-online-uri": "file2:online-test-key"
}
},
"roles": {
Expand Down
2 changes: 1 addition & 1 deletion tests/expected/target-file-changes/metadata/1.root.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
"public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
},
"scheme": "ed25519",
"x-tuf-on-ci-online-uri": "envvar:LOCAL_TESTING_KEY"
"x-tuf-on-ci-online-uri": "file2:online-test-key"
}
},
"roles": {
Expand Down
Loading
Loading