Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use TUF instead of env variables. #159

Merged
merged 9 commits into from
Aug 17, 2022
Merged

Use TUF instead of env variables. #159

merged 9 commits into from
Aug 17, 2022
+114 −24

Conversation

vaikas
Copy link
Collaborator

@vaikas vaikas commented Aug 17, 2022

Summary

Add two new flags that you can use to specify how to initialize TUF root.
--tuf-mirror
--tuf-root

We then do equivalent of cosign initialize with those.

Release Note

  • Add two new flags that allow you to bring in a custom TUF root: --tuf-mirror and --tuf-root.
  • DEPRECATED: Enviromental variables should be considered deprecated as the whole sigstore is moving everything to TUF.

Documentation

vaikas and others added 8 commits August 17, 2022 13:45
@vaikas
Add cosign initialize as an init container to initialize TUF.

Unverified

This user has not yet uploaded their public signing key.
GPG key ID: 9E998DA338EDDE05
Learn about vigilant mode
b22b110 
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@vaikas
Copy the secret, initialize cosign in tests
7784dbe 
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@vaikas
sigh, default ns already has tuf-root secret.
7cf20fd 
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@cpanato @vaikas
add kustomize to add args during e2e tests
f8ac6a3 
Signed-off-by: cpanato <ctadeu@gmail.com>
@cpanato @vaikas
remove cd part
79833b6 
Signed-off-by: cpanato <ctadeu@gmail.com>
@vaikas
do not use TUF_ROOT cause it collides with sigstore/sigstore TUF client.
98a5b19 
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@vaikas
Use TUF_ROOT_FILE as env variable.
30f5a19 
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@vaikas
Ditch cosign initcontainer and call tuf.Initialize directly.
c5593f6 
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@vaikas
Copy link
Collaborator Author

vaikas commented Aug 17, 2022

If all works here, I'd like to use this instead of #157 so that we don't need to bring in the additional initContainer.

@cpanato cpanato requested a review from hectorj2f August 17, 2022 12:43
cpanato
cpanato previously approved these changes Aug 17, 2022
View reviewed changes
hectorj2f
hectorj2f previously approved these changes Aug 17, 2022
View reviewed changes
Copy link
Collaborator

@hectorj2f hectorj2f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@vaikas
wrong filename :)
75d7e63 
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@vaikas vaikas dismissed stale reviews from hectorj2f and cpanato via 75d7e63 August 17, 2022 12:54
@codecov-commenter
Copy link

Codecov Report

Merging #159 (75d7e63) into main (9a4d6cc) will decrease coverage by 0.34%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main     #159      +/-   ##
==========================================
- Coverage   63.40%   63.05%   -0.35%     
==========================================
  Files          26       26              
  Lines        2350     2363      +13     
==========================================
  Hits         1490     1490              
- Misses        782      795      +13     
  Partials       78       78
Impacted Files Coverage Δ
cmd/webhook/main.go 0.00% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@vaikas
Copy link
Collaborator Author

vaikas commented Aug 17, 2022

Thanks so much @cpanato for making kustomize work, super neat!

@vaikas vaikas enabled auto-merge August 17, 2022 13:37
@vaikas vaikas merged commit 534b1f8 into sigstore:main Aug 17, 2022
@vaikas vaikas deleted the tuf-init branch August 17, 2022 13:56
@vaikas
Copy link
Collaborator Author

vaikas commented Aug 18, 2022

Documentation changes here:
sigstore/sigstore-website#214

codysoyland added a commit to codysoyland/policy-controller that referenced this pull request Jun 24, 2024
@codysoyland
Remove dependabot for this fork (sigstore#159)
4566c67
codysoyland added a commit to codysoyland/policy-controller that referenced this pull request Jun 24, 2024
@codysoyland @malancas
Add support for Sigstore Bundles using sigstore-go verifier (sigstore…
641c49e 
…#151)

* Remove dependabot for this fork (sigstore#159)

* Add Actions release and attest job (sigstore#147)

* update release workflow

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Grab image digest for attestation step

Signed-off-by: Meredith Lancaster <malancas@github.com>

* comment

Signed-off-by: Meredith Lancaster <malancas@github.com>

* update workflow name

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add release directions

Signed-off-by: Meredith Lancaster <malancas@github.com>

* undo ko config changes

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add fork specific options to ko build call

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Change version format

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
Co-authored-by: Cody Soyland <codysoyland@github.com>

* set release as target branch (sigstore#161)

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Add support for Sigstore Bundles using sigstore-go verifier

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Update docs

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Rename func

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Comment on observe timestamp setting

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Refactor trusted material, add support for default TUF repo in bundle verifier

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Remove accidental code

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Fix tlog verification options

Signed-off-by: Cody Soyland <codysoyland@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Cody Soyland <codysoyland@github.com>
Co-authored-by: Meredith Lancaster <malancas@users.noreply.github.com>
codysoyland added a commit to codysoyland/policy-controller that referenced this pull request Sep 17, 2024
@codysoyland
Remove dependabot for this fork (sigstore#159)
42618ac
codysoyland added a commit to codysoyland/policy-controller that referenced this pull request Sep 17, 2024
@codysoyland @malancas
Add support for Sigstore Bundles using sigstore-go verifier (sigstore…
def269f 
…#151)

* Remove dependabot for this fork (sigstore#159)

* Add Actions release and attest job (sigstore#147)

* update release workflow

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Grab image digest for attestation step

Signed-off-by: Meredith Lancaster <malancas@github.com>

* comment

Signed-off-by: Meredith Lancaster <malancas@github.com>

* update workflow name

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add release directions

Signed-off-by: Meredith Lancaster <malancas@github.com>

* undo ko config changes

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add fork specific options to ko build call

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Change version format

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
Co-authored-by: Cody Soyland <codysoyland@github.com>

* set release as target branch (sigstore#161)

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Add support for Sigstore Bundles using sigstore-go verifier

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Update docs

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Rename func

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Comment on observe timestamp setting

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Refactor trusted material, add support for default TUF repo in bundle verifier

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Remove accidental code

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Fix tlog verification options

Signed-off-by: Cody Soyland <codysoyland@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Cody Soyland <codysoyland@github.com>
Co-authored-by: Meredith Lancaster <malancas@users.noreply.github.com>
codysoyland added a commit to codysoyland/policy-controller that referenced this pull request Jan 7, 2025
@codysoyland
Remove dependabot for this fork (sigstore#159)
3e37778
codysoyland added a commit to codysoyland/policy-controller that referenced this pull request Jan 7, 2025
@codysoyland @malancas
Add support for Sigstore Bundles using sigstore-go verifier (sigstore…
df6f1ca 
…#151)

* Remove dependabot for this fork (sigstore#159)

* Add Actions release and attest job (sigstore#147)

* update release workflow

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Grab image digest for attestation step

Signed-off-by: Meredith Lancaster <malancas@github.com>

* comment

Signed-off-by: Meredith Lancaster <malancas@github.com>

* update workflow name

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add release directions

Signed-off-by: Meredith Lancaster <malancas@github.com>

* undo ko config changes

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add fork specific options to ko build call

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Change version format

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
Co-authored-by: Cody Soyland <codysoyland@github.com>

* set release as target branch (sigstore#161)

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Add support for Sigstore Bundles using sigstore-go verifier

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Update docs

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Rename func

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Comment on observe timestamp setting

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Refactor trusted material, add support for default TUF repo in bundle verifier

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Remove accidental code

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Fix tlog verification options

Signed-off-by: Cody Soyland <codysoyland@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Cody Soyland <codysoyland@github.com>
Co-authored-by: Meredith Lancaster <malancas@users.noreply.github.com>
codysoyland added a commit to codysoyland/policy-controller that referenced this pull request Mar 27, 2025
@codysoyland
Remove dependabot for this fork (sigstore#159)
247e58a
codysoyland added a commit to codysoyland/policy-controller that referenced this pull request Mar 27, 2025
@codysoyland
Add support for Sigstore Bundles using sigstore-go verifier (sigstore…
b71e129 
…#151)

* Remove dependabot for this fork (sigstore#159)

* Add Actions release and attest job (sigstore#147)

* update release workflow

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Grab image digest for attestation step

Signed-off-by: Meredith Lancaster <malancas@github.com>

* comment

Signed-off-by: Meredith Lancaster <malancas@github.com>

* update workflow name

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add release directions

Signed-off-by: Meredith Lancaster <malancas@github.com>

* undo ko config changes

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add fork specific options to ko build call

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Change version format

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
Co-authored-by: Cody Soyland <codysoyland@github.com>

* set release as target branch (sigstore#161)

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Add support for Sigstore Bundles using sigstore-go verifier

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Update docs

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Rename func

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Comment on observe timestamp setting

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Refactor trusted material, add support for default TUF repo in bundle verifier

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Remove accidental code

Signed-off-by: Cody Soyland <codysoyland@github.com>

* Fix tlog verification options

Signed-off-by: Cody Soyland <codysoyland@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Cody Soyland <codysoyland@github.com>
Co-authored-by: Meredith Lancaster <malancas@users.noreply.github.com>

Fix method name

Signed-off-by: Cody Soyland <codysoyland@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hectorj2f hectorj2f

@cpanato cpanato

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@vaikas @codecov-commenter @hectorj2f @cpanato