search

sigstore / root-signing

TUF repository for Sigstore trust root
Apache License 2.0
80 stars 77 forks source link

Merge ceremony branch ceremony/2024-03-12 into main #1164

Open sigstore-bot opened 3 months ago

sigstore-bot commented 3 months ago

Merge ceremony branch to main

kommendorkapten commented 3 months ago

Cosign, local verification:

$ ./cosign initialize --root /Users/kommendorkapten/git/root-signing/repository/repository/5.root.json --mirror http://localh
ost:8081
Root status:
 {
    "local": "/Users/kommendorkapten/.sigstore/root",
    "remote": "http://localhost:8081",
    "metadata": {
        "root.json": {
            "version": 9,
            "len": 6766,
            "expiration": "12 Sep 24 06:53 UTC",
            "error": ""
        },
        "snapshot.json": {
            "version": 130,
            "len": 2304,
            "expiration": "03 Apr 24 06:41 UTC",
            "error": ""
        },
        "targets.json": {
            "version": 9,
            "len": 5478,
            "expiration": "12 Sep 24 06:13 UTC",
            "error": ""
        },
        "timestamp.json": {
            "version": 166,
            "len": 721,
            "expiration": "20 Mar 24 06:41 UTC",
            "error": ""
        }
    },
    "targets": [
        "ctfe_2022.pub",
        "fulcio.crt.pem",
        "fulcio_intermediate_v1.crt.pem",
        "fulcio_v1.crt.pem",
        "rekor.pub",
        "trusted_root.json",
        "artifact.pub",
        "ctfe.pub"
    ]
}
kommendorkapten commented 3 months ago

Javascript:

$ tuf download --metadata-base-url http://localhost:8081 --root /Users/kommendorkapten/git/root-signing/repository/repository/5.root.json --target-name registry.npmjs.org/keys.json
{
    "keys": [
        {
            "keyId": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
            "keyUsage": "npm:signatures",
            "publicKey": {
                "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==",
                "keyDetails": "PKIX_ECDSA_P256_SHA_256",
                "validFor": {
                    "start": "1999-01-01T00:00:00.000Z"
                }
            }
        },
        {
            "keyId": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
            "keyUsage": "npm:attestations",
            "publicKey": {
                "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==",
                "keyDetails": "PKIX_ECDSA_P256_SHA_256",
                "validFor": {
                    "start": "2022-12-01T00:00:00.000Z"
                }
            }
        }
    ]
}

And the server:

$ python3 -m http.server 8081
Serving HTTP on :: port 8081 (http://[::]:8081/) ...
::1 - - [13/Mar/2024 13:59:01] "GET /6.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /7.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /8.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /9.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] code 404, message File not found
::1 - - [13/Mar/2024 13:59:01] "GET /10.root.json HTTP/1.1" 404 -
::1 - - [13/Mar/2024 13:59:01] "GET /timestamp.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /130.snapshot.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /9.targets.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /3.registry.npmjs.org.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /targets/registry.npmjs.org/7a8ec9678ad824cdccaa7a6dc0961caf8f8df61bc7274189122c123446248426.keys.json HTTP/1.1" 200 -
kommendorkapten commented 3 months ago

Current work on disk:

$ ./cosign initialize --mirror http://localhost:8081 --root /Users/kommendorkapten/git/root-signing/repository/repository/5.root.json
Root status:
 {
    "local": "/Users/kommendorkapten/.sigstore/root",
    "remote": "http://localhost:8081",
    "metadata": {
        "root.json": {
            "version": 9,
            "len": 6766,
            "expiration": "12 Sep 24 06:53 UTC",
            "error": ""
        },
        "snapshot.json": {
            "version": 130,
            "len": 2304,
            "expiration": "03 Apr 24 06:41 UTC",
            "error": ""
        },
        "targets.json": {
            "version": 9,
            "len": 5478,
            "expiration": "12 Sep 24 06:13 UTC",
            "error": ""
        },
        "timestamp.json": {
            "version": 166,
            "len": 721,
            "expiration": "20 Mar 24 06:41 UTC",
            "error": ""
        }
    },
    "targets": [
        "fulcio_v1.crt.pem",
        "rekor.pub",
        "trusted_root.json",
        "artifact.pub",
        "ctfe.pub",
        "ctfe_2022.pub",
        "fulcio.crt.pem",
        "fulcio_intermediate_v1.crt.pem"
    ]
}
kommendorkapten@m1m14:~/git/cosign % ./cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v1.13.1-32-g43bde0e2-dirty
GitCommit:     43bde0e2012243fa78363202545e5372b26a29c2
GitTreeState:  dirty
BuildDate:     2022-11-03T09:02:22Z
GoVersion:     go1.21.6
Compiler:      gc
Platform:      darwin/arm64