Open sigstore-bot opened 3 months ago
Cosign, local verification:
$ ./cosign initialize --root /Users/kommendorkapten/git/root-signing/repository/repository/5.root.json --mirror http://localh
ost:8081
Root status:
{
"local": "/Users/kommendorkapten/.sigstore/root",
"remote": "http://localhost:8081",
"metadata": {
"root.json": {
"version": 9,
"len": 6766,
"expiration": "12 Sep 24 06:53 UTC",
"error": ""
},
"snapshot.json": {
"version": 130,
"len": 2304,
"expiration": "03 Apr 24 06:41 UTC",
"error": ""
},
"targets.json": {
"version": 9,
"len": 5478,
"expiration": "12 Sep 24 06:13 UTC",
"error": ""
},
"timestamp.json": {
"version": 166,
"len": 721,
"expiration": "20 Mar 24 06:41 UTC",
"error": ""
}
},
"targets": [
"ctfe_2022.pub",
"fulcio.crt.pem",
"fulcio_intermediate_v1.crt.pem",
"fulcio_v1.crt.pem",
"rekor.pub",
"trusted_root.json",
"artifact.pub",
"ctfe.pub"
]
}
Javascript:
$ tuf download --metadata-base-url http://localhost:8081 --root /Users/kommendorkapten/git/root-signing/repository/repository/5.root.json --target-name registry.npmjs.org/keys.json
{
"keys": [
{
"keyId": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
"keyUsage": "npm:signatures",
"publicKey": {
"rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==",
"keyDetails": "PKIX_ECDSA_P256_SHA_256",
"validFor": {
"start": "1999-01-01T00:00:00.000Z"
}
}
},
{
"keyId": "SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA",
"keyUsage": "npm:attestations",
"publicKey": {
"rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg==",
"keyDetails": "PKIX_ECDSA_P256_SHA_256",
"validFor": {
"start": "2022-12-01T00:00:00.000Z"
}
}
}
]
}
And the server:
$ python3 -m http.server 8081
Serving HTTP on :: port 8081 (http://[::]:8081/) ...
::1 - - [13/Mar/2024 13:59:01] "GET /6.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /7.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /8.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /9.root.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] code 404, message File not found
::1 - - [13/Mar/2024 13:59:01] "GET /10.root.json HTTP/1.1" 404 -
::1 - - [13/Mar/2024 13:59:01] "GET /timestamp.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /130.snapshot.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /9.targets.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /3.registry.npmjs.org.json HTTP/1.1" 200 -
::1 - - [13/Mar/2024 13:59:01] "GET /targets/registry.npmjs.org/7a8ec9678ad824cdccaa7a6dc0961caf8f8df61bc7274189122c123446248426.keys.json HTTP/1.1" 200 -
Current work on disk:
$ ./cosign initialize --mirror http://localhost:8081 --root /Users/kommendorkapten/git/root-signing/repository/repository/5.root.json
Root status:
{
"local": "/Users/kommendorkapten/.sigstore/root",
"remote": "http://localhost:8081",
"metadata": {
"root.json": {
"version": 9,
"len": 6766,
"expiration": "12 Sep 24 06:53 UTC",
"error": ""
},
"snapshot.json": {
"version": 130,
"len": 2304,
"expiration": "03 Apr 24 06:41 UTC",
"error": ""
},
"targets.json": {
"version": 9,
"len": 5478,
"expiration": "12 Sep 24 06:13 UTC",
"error": ""
},
"timestamp.json": {
"version": 166,
"len": 721,
"expiration": "20 Mar 24 06:41 UTC",
"error": ""
}
},
"targets": [
"fulcio_v1.crt.pem",
"rekor.pub",
"trusted_root.json",
"artifact.pub",
"ctfe.pub",
"ctfe_2022.pub",
"fulcio.crt.pem",
"fulcio_intermediate_v1.crt.pem"
]
}
kommendorkapten@m1m14:~/git/cosign % ./cosign version
______ ______ _______. __ _______ .__ __.
/ | / __ \ / || | / _____|| \ | |
| ,----'| | | | | (----`| | | | __ | \| |
| | | | | | \ \ | | | | |_ | | . ` |
| `----.| `--' | .----) | | | | |__| | | |\ |
\______| \______/ |_______/ |__| \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
GitVersion: v1.13.1-32-g43bde0e2-dirty
GitCommit: 43bde0e2012243fa78363202545e5372b26a29c2
GitTreeState: dirty
BuildDate: 2022-11-03T09:02:22Z
GoVersion: go1.21.6
Compiler: gc
Platform: darwin/arm64
Merge ceremony branch to main