Add func to retrieve TrustedRoot from TUF

codysoyland · codysoyland · commit 60096f2420fa · 2025-04-15T10:14:36.000-04:00
Signed-off-by: Cody Soyland <codysoyland@github.com> Sync TUF cache used for sigstore bundle verification (#166) * sync tuf cache used for sigstore bundle verification Signed-off-by: Meredith Lancaster <malancas@github.com> * remove singleton err Signed-off-by: Meredith Lancaster <malancas@github.com> * start adding lock Signed-off-by: Meredith Lancaster <malancas@github.com> * Use RWMutex Signed-off-by: Meredith Lancaster <malancas@github.com> * pr feedback Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com> Fix shadowed trustedroot (#178) * Fix shadowed variable bug This code caused the singleton `trustedRoot` to be returned as nil on subsequent calls. The singleton was shadowed when the variable was redeclared in the `if` block. Signed-off-by: Cody Soyland <codysoyland@github.com> * Remove unused singleton `singletonRootError` was never returned without being overwritten, so it was essentially unused. I think it's wise to always retry the TUF call on future invocations in case of network errors. Signed-off-by: Cody Soyland <codysoyland@github.com> --------- Signed-off-by: Cody Soyland <codysoyland@github.com> Update go.mod Signed-off-by: Cody Soyland <codysoyland@github.com>
diff --git a/go.mod b/go.mod
@@ -64,6 +64,7 @@ require (
 	github.com/go-jose/go-jose/v4 v4.0.5
 	github.com/sigstore/protobuf-specs v0.4.1
 	github.com/sigstore/scaffolding v0.7.22
+	github.com/sigstore/sigstore-go v0.7.1
 	github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.3
 	github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.3
 	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.3
@@ -228,7 +229,6 @@ require (
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/sigstore/sigstore-go v0.7.1 // indirect
 	github.com/sigstore/timestamp-authority v1.2.5 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
diff --git a/pkg/tuf/repo.go b/pkg/tuf/repo.go
@@ -28,9 +28,12 @@ import (
 	"path/filepath"
 	"runtime"
 	"strings"
+	"sync"
 	"testing/fstest"
 	"time"
 
+	"github.com/sigstore/sigstore-go/pkg/root"
+	"github.com/sigstore/sigstore/pkg/tuf"
 	"github.com/theupdateframework/go-tuf/client"
 	"sigs.k8s.io/release-utils/version"
 )
@@ -294,3 +297,43 @@ func ClientFromRemote(_ context.Context, mirror string, rootJSON []byte, targets
 	}
 	return tufClient, nil
 }
+
+var (
+	mu          sync.RWMutex
+	timestamp   time.Time
+	trustedRoot *root.TrustedRoot
+)
+
+// GetTrustedRoot returns the trusted root for the TUF repository.
+func GetTrustedRoot() (*root.TrustedRoot, error) {
+	now := time.Now().UTC()
+	// check if timestamp has never been or if the current time is more
+	// than 24 hours after the current value of timestamp
+	if timestamp.IsZero() || now.After(timestamp.Add(24*time.Hour)) {
+		mu.Lock()
+		defer mu.Unlock()
+
+		tufClient, err := tuf.NewFromEnv(context.Background())
+		if err != nil {
+			return nil, fmt.Errorf("initializing tuf: %w", err)
+		}
+		// TODO: add support for custom trusted root path
+		targetBytes, err := tufClient.GetTarget("trusted_root.json")
+		if err != nil {
+			return nil, fmt.Errorf("error getting targets: %w", err)
+		}
+		trustedRoot, err = root.NewTrustedRootFromJSON(targetBytes)
+		if err != nil {
+			return nil, fmt.Errorf("error creating trusted root: %w", err)
+		}
+
+		timestamp = now
+
+		return trustedRoot, nil
+	}
+
+	mu.RLock()
+	defer mu.RUnlock()
+
+	return trustedRoot, nil
+}
