Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fetch Sigstore trust root through TUF #605

Open
haydentherapper opened this issue Apr 15, 2024 · 4 comments
Open

Fetch Sigstore trust root through TUF #605

haydentherapper opened this issue Apr 15, 2024 · 4 comments

Comments

@haydentherapper
Copy link

Looking at https://github.com/ossf/scorecard-webapp/tree/f55dfbf0ddc1620a716f571636569e01e2e222c5/app/server, it appears that the Sigstore trust root metadata, rekor.pub and fulcio_v1.crt and the intermediate, are embedded in the repository. If the metadata were rotated, this would break verification.

I would recommend dynamically fetching the TUF metadata using a TUF client such as https://github.com/sigstore/sigstore-go/blob/main/pkg/tuf/client.go.

@spencerschrock
Copy link
Member

To clarify, are you referring to this sort of workflow?

Fulcio's certificate chain can be obtained from the TrustBundle API, for example for the public instance (https://fulcio.sigstore.dev). To verify the public instance, you must verify the chain using Sigstore's TUF root from the sigstore/root-signing repository).

https://github.com/sigstore/fulcio/tree/9279738ef7cc314a9c7e9fa13de7c0d6079d17d4?tab=readme-ov-file#public-instance

@haydentherapper
Copy link
Author

I should probably delete that section, I would not recommend using the TUF client directly. Instead I'd recommend the Sigstore TUF client linked above, as it handles both the TUF verification and extracting the relevant Sigstore metadata. See https://github.com/sigstore/sigstore-go/blob/main/cmd/sigstore-go/main.go#L126-L187.

@spencerschrock
Copy link
Member

Gotcha. So something like:

client, err := tuf.DefaultClient()
if err != nil {
	return err
}
trustedRootJSON, err := client.GetTarget("trusted_root.json")
if err != nil {
	return err
}
trustedRoot, err := root.NewTrustedRootFromJSON(trustedRootJSON)
if err != nil {
	return err
}
ca := trustedRoot.FulcioCertificateAuthorities()
for _, c := range ca {
	log.Println(c.Root)
	for _, intermediate := range c.Intermediates {
		log.Println(intermediate)
	}
}

@haydentherapper
Copy link
Author

Exactly! And RekorLogs for the transparency log keys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants