Application may have a "more secure" data store than the metadata cache
is: Allow application to bootstrap the Updater with this more secure
root. This means the Updater must also cache the subsequent root versions
(and not just the last one).
* Store versioned root metadata in local cache
* maintain a non versioned symlink to last known good root
* When loading root metadata, look in local cache too
* Add a 'bootstrap' argument to Updater: this allows
initializing the Updater with known good root metadata
instead of trusting the root.json in cache
Additional changes to current functionality:
* when using bootstrap argument, the initial root is written to cache.
This write happens every time Updater is initialized with bootstrap
* The "root.json" symlink is recreated at the end of every refresh()
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This is related to #2762 (that replaces RequestsFetcher with
Urllib3Fetcher) and takes care of the remaining requests use cases in
the code base.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This allows using some more nice annotations from 3.10
while still being compatible with even Python 3.8.
These are all annotation changes, should not modify any functionality.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
* API changes covered:
* keys and interface modules removed
* SSlibSigner removed
* CryptoSigner added: this replaces the removed functionality
* DSSE "signatures" container type changed
* Currently pins a securesystemslib main branch commit:
this shoudl be reverted before merging, when securesystemslib
has made a release
* tests/generated_data/generate_md.py was simplified
* Encrypted test keys in tests/repository_data/keystore were replaced
with the unencrypted PEM versions of the same keys
* The public test keys in tests/repository_data/keystore were removed
as they were not used anymore
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Minor fixes were needed, the only possibly interesting one is
the one in RequestsFetcher (use "yield from").
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This reverts commit b279745886.
... plus related changes from:
"ngclient: change envelope type config to flag".
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
The flag allows adding other envelope types in the future (unlikely),
or parallel support (`METADATA & SIMPLE`) without breaking the API.
Internally, the flag is now just passed on to TrustedMetadataSet as
mandatory parameter. (Optional parameters make less sense when we
control all the invocations.)
This change requires updating all invocations of TrustedMetadataSet,
including the duplication of a test function.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Add `--use-dsse` flag to `download` subcommand of example client, which
can be used to indicate that all metadata is expected to come in a DSSE
envelope.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Change TrustedMetadataSet to load and verify metadata using a
MetadataUnwrapper instance.
IMPORTANT NOTES:
* Requires changing the TrustedMetadataSet to store payloads only, which
is okay, because signatures are no longer needed, after being verified
at load time.
* Includes a minor re-ordering of validation steps. That is, the
version increment for root metadata is now checked after signature
verification. Preserving the order would require including the check in
the Unwrapper interface, which is feasible but does not seem correct wrt
separation of responsibility.
Changes are adopted in updater, tests and _localrepo.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
- adpot changes in dependabot.yml and remove --diff from ruff check.
- select pydocstyle, isort, pyflakes, pep8-naming, pycodestyle for ruff and ignore some small issues / add inline comments.
- adjust docstring length to 80 in various files
Signed-off-by: E3E <ntanzill@purdue.edu>
This is an example of using the verification resutls in a repository.
The only remaining tricky part is in _get_verification_result():
* has to figure out the delegating metadata (something we currently
cannot provide in repository.Repository for the general case)
* Needs a special case for first root
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Change new _Delegator.verify_delegate to take payload bytes and
signatures instead of a Metadata object and a payload serializer.
This allows using verify_delegate for payloads that do not come in
a Metadata container, but e.g. in a DSSE envelope (see #2385).
Usage becomes a bit more cumbersome, but still feels reasonable with the
recently added shortcut for default canonical bytes representation of
Metadata.signed.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Avoid Metadata.verify_delegate() now that it's deprecated.
Note that this commit does not try to make any code cleanups
that are now possible: this is the minimal change to use the new
API.
Future improvements can make code in TrustedMetadataSet and
Updater slightly easier to read: as an example there's no need for
TrustedMetadataSet to actually store or expose actual Metadata in its
cache -- Signed is all that's needed.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
The default value "targets" makes sense because now the top-level
metadata can be accessed in a standard way:
root(), timestamp(), snapshot() and targets()
and likewise for the edit_X() functions
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
These are equivalent to the edit_X() context managers but for cases
where user is not interested in creating a new version of the metadata.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
New names:
do_snapshot()
do_timestamp()
This is in preparation of using the old names for another purpose.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
The advantage here is that code within the context can take advantage
of the correct typing. This is already visible in the example code but
is even more useful in real applications.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
uploader API has two POST endpoints
/api/delegation/<ROLE>
Accepts new delegation keys for targetpath "<ROLE>/*" to role <ROLE>.
This data is not signed in any way: In a real service this action would
require some external authentication.
POST content:
{ <KEYID>: <TUF KEY> }
/api/role/<ROLE>
accepts uploads of new versions of <ROLE> metadata. The metadata
must be correctly signed by the keys assigned to this delegation.
POST content:
TUF targets metadata as json
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This tool works with the example repository: it can be used to
* Add a delegation (this is an unsafe API corresponding to e.g.
project creation in PyPI)
* Submit new delegated role version (this requires using signing keys
already submitted with the delegation)
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
