search

sigstore / root-signing

TUF repository for Sigstore trust root
Apache License 2.0
80 stars 77 forks source link

Update Snapshot and Timestamp #1163

Closed sigstore-bot closed 3 months ago

sigstore-bot commented 3 months ago

Sign snapshot and timestamp files

kommendorkapten commented 3 months ago

I cross referenced all keys in root.json, by comparing looking at the new key id, which PEM encoded key it referred to, then looked at the previous key id for that and made sure it was correct, see README for the details.

kommendorkapten commented 3 months ago 
./verify repository \
           --repository `pwd`/repository \
           --root `pwd`/repository/repository/root.json \
           --targets registry.npmjs.org/keys.json,trusted_root.json
VERIFYING TUF CLIENT UPDATE

Client successfully initialized, updating and downloading targets...
Client updated to...
    root.json version 9, expires 2024/09/12
    timestamp.json version 166, expires 2024/03/20
    snapshot.json version 130, expires 2024/04/03
    targets.json version 9, expires 2024/09/12

Retrieved target registry.npmjs.org/keys.json...
{
    "keys": [
...
kommendorkapten commented 3 months ago

Verify cosign initialization:

$ ./cosign initialize --mirror http://localhost:8081 --root /Users/kommendorkapten/git/root-signing/repository/repository/5.r
oot.json
Root status:
 {
    "local": "/Users/kommendorkapten/.sigstore/root",
    "remote": "http://localhost:8081",
    "metadata": {
        "root.json": {
            "version": 9,
            "len": 6766,
            "expiration": "12 Sep 24 06:53 UTC",
            "error": ""
        },
        "snapshot.json": {
            "version": 130,
            "len": 2304,
            "expiration": "03 Apr 24 06:41 UTC",
            "error": ""
        },
        "targets.json": {
            "version": 9,
            "len": 5478,
            "expiration": "12 Sep 24 06:13 UTC",
            "error": ""
        },
        "timestamp.json": {
            "version": 166,
            "len": 721,
            "expiration": "20 Mar 24 06:41 UTC",
            "error": ""
        }
    },
...

And the repository side:

kommendorkapten@m1m14:~/git/root-signing/repository/repository % python3 -m http.server 8081
Serving HTTP on :: port 8081 (http://[::]:8081/) ...
::1 - - [13/Mar/2024 08:05:11] "GET /6.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 08:05:11] "GET /7.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 08:05:11] "GET /8.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 08:05:11] "GET /9.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 08:05:11] code 404, message File not found
::1 - - [13/Mar/2024 08:05:11] "GET /10.root.json HTTP/1.1" 404 -
::1 - - [13/Mar/2024 08:05:11] "GET /timestamp.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 08:05:11] "GET /130.snapshot.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 08:05:11] "GET /9.targets.json HTTP/1.1" 200 -
kommendorkapten commented 3 months ago

I will look into the failing client tests now.