search

awslabs / tough

Rust libraries and tools for using and generating TUF repositories
191 stars 45 forks source link

tuftool: Add transfer-metadata command #653

Closed stmcginnis closed 11 months ago

stmcginnis commented 11 months ago

Issue #, if available:

Closes #478

Description of changes:

This adds a new transfer-metadata command to support migrating target and metadata info to a new root. This would previously need to be done by downloading all contents of a previous root and recreating and recalculating SHAs for all targets. With many large targets, this becomes an expensive operation. Since the previous root metadata already contains this information, we can leverage that to just transfer the metadata over to the new root.

Testing done:

Created and signed new root. Downloaded several versions of existing root.json files used for Bottlerocket updates. Transferred metadata for all existing Bottlerocket repos:

for path in \
  2020-02-02/aws-k8s-{1.15,1.16,1.17}/x86_64 \
  2020-07-07/{aws-k8s-{1.15,1.16,1.17,1.18,1.19,1.20,1.21,1.22,1.23,1.24,1.25,1.26,1.27},aws-k8s-{1.21,1.22,1.23,1.24,1.25,1.26,1.27}-nvidia,aws-ecs-1{,-nvidia}}/{x86_64,aarch64} \
  2020-07-07/{vmware-k8s-{1.20,1.21,1.22,1.23,1.24,1.25,1.26,1.27}/x86_64,metal-k8s-{1.21,1.22,1.23,1.24,1.25,1.26,1.27}/x86_64}; do
    mkdir -p upload/$path
    tuftool transfer-metadata \
        -k aws-kms://default/alias/bottlerocket-test \
        --current-root 4.root.json --new-root 5.root.json  \
        --metadata-url https://updates.bottlerocket.aws/$path/ \
        --targets-url https://updates.bottlerocket.aws/targets/ \
        --snapshot-expires 'in 3 weeks' --snapshot-version "$(date +%s)" \
        --targets-expires 'in 3 weeks' --targets-version "$(date +%s)" \
        --timestamp-expires 'in 2 weeks' --timestamp-version "$(date +%s)" \
        --outdir upload/$path
done

Got current targets file:

wget https://updates.bottlerocket.aws/2020-07-07/aws-k8s-1.27/x86_64/1692036725.targets.json

Compared it with the new targets file:

image ... image

Just the expected changes to the version, signature, and expiration.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

stmcginnis commented 11 months ago

The diff in the testing seems to be comparing the same file?

Sorry, that was a copy paste error. I've lost the buffer now, but it really was the two different (new targets.json vs old targets.json) files.

stmcginnis commented 11 months ago

Here's a better comparison with more accurate output:

image ... image

Just the expected changes to the version, signature, and expiration.