Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide way to download rekor public key from Sigstore TUF repository #9

Closed
flavio opened this issue Nov 2, 2021 · 3 comments · Fixed by #22
Closed

Provide way to download rekor public key from Sigstore TUF repository #9

flavio opened this issue Nov 2, 2021 · 3 comments · Fixed by #22
Assignees
@flavio
Labels
Blocked Something that is blocked because of internal/external reasons enhancement New feature or request

Comments

@flavio
Copy link
Member

flavio commented Nov 2, 2021

Currently library end users have to provide the Rekor public key when creating a Cosign Client. This is required to verify the cosign bundles.

Having to specify the Rekor public key is needed when the default public Rekor instance is not used (e.g. for testing, air-gapped environments,...), however this is not what the majority of people will do.

It would be of great help to provide a some method that downloads the official Rekor public key from Sigstore's TUF repository. This is what cosign does behind the scenes.
@flavio flavio added the enhancement New feature or request label Nov 2, 2021
@flavio flavio self-assigned this Nov 2, 2021
@flavio
Copy link
Member Author

flavio commented Nov 2, 2021

We need a Rust library that implements TUF protocol in order to download the public key from Sigstore's TUF repository.

I think tough is a good candidate because it's considered stable and is well maintained.

However, I found some issues while trying to use it, I sent some patches upstream:

@flavio flavio added the Blocked Something that is blocked because of internal/external reasons label Nov 2, 2021
@flavio
Copy link
Member Author

flavio commented Nov 2, 2021

Currently blocked because of external issues on the tough crate

This was referenced Nov 15, 2021
Merged
Merged
@flavio
Copy link
Member Author

flavio commented Jan 24, 2022

Quick update: the issue inside of tough seems to be slowly moving forward. In the meantime I have a branch which is implementing the retrieval of the keys from the TUF repository using the patched tough library.

I'll share more progresses later

flavio added a commit to flavio/sigstore-rs that referenced this issue Jan 27, 2022
@flavio
Add TUF support
2588d9d 
Allow Fulcio and Rekor data to be fetched from the official
TUF repository of Sigstore.

A new module is introduced, called `tuf`, which provides helper
structs to interact with a remote TUF repository.

Fixes sigstore#9

Signed-off-by: Flavio Castelli <[email protected]>
@flavio flavio mentioned this issue Jan 27, 2022
Merged
flavio added a commit to flavio/sigstore-rs that referenced this issue Jan 28, 2022
@flavio
Add TUF support
f2d214f 
Allow Fulcio and Rekor data to be fetched from the official
TUF repository of Sigstore.

A new module is introduced, called `tuf`, which provides helper
structs to interact with a remote TUF repository.

Fixes sigstore#9

Signed-off-by: Flavio Castelli <[email protected]>
flavio added a commit to flavio/sigstore-rs that referenced this issue Jan 28, 2022
@flavio
Add TUF support
aae2fc6 
Allow Fulcio and Rekor data to be fetched from the official
TUF repository of Sigstore.

A new module is introduced, called `tuf`, which provides helper
structs to interact with a remote TUF repository.

Fixes sigstore#9

Signed-off-by: Flavio Castelli <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@flavio flavio

Labels
Blocked Something that is blocked because of internal/external reasons enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add TUF support flavio/sigstore-rs
1 participant
@flavio