search

repository-service-tuf / repository-service-tuf-worker

Repository Service for TUF: Worker
MIT License
8 stars 15 forks source link

Add priv key uri support to SignerStore #451

Closed lukpueh closed 5 months ago

lukpueh commented 5 months ago

implements option 2 from repository-service-tuf/repository-service-tuf#580 supersedes #427 (does not include a custom "relative file path signer", can be added in a follow-up PR)

--

Change SignerStore.get to load non-cached signers from private key uri configured on the passed public key in a "x-rstuf-online-key-uri" field.

If the public key does not include a uri, RSTUF_KEYVAULT_BACKEND is used as fallback.

securesystemslib.signer.CryptoSigner is "registered" to load signers from private key files. No key specific secrets handling is added. This means the keys must be stored unencryped, preferrably using the secrets handling of the deployment platform (e.g. docker secrets).

Default schemes in securesystemslib.signer.SIGNER_FOR_URI_SCHEME can be used but are untested.

Tests Add test to load actual signer from private key file.

Uses new unencrypted ed25519 private key copied from: secure-systems-lab/securesystemslib@7952c3f

Public key stubs in other tests are updated, because signer store now reads the unrecognized_fields attribute, which is mandatory in Key objects.

codecov[bot] commented 5 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Comparison is base (331e7e7) 100.00% compared to head (d5d915c) 100.00%.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #451 +/- ## ========================================= Coverage 100.00% 100.00% ========================================= Files 15 15 Lines 1035 1039 +4 ========================================= + Hits 1035 1039 +4 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.