Merge remote-tracking branch 'origin/main' into jl/verify

Signed-off-by: Andrew Pan <[email protected]>

.github/workflows/auto-publish-crates-upon-release.yml

@@ -7,7 +7,7 @@ jobs:
   publish-automatically:
     runs-on: ubuntu-latest
     steps:
-      -  uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      -  uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       -  uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
          with:
            toolchain: stable

.github/workflows/conformance.yml

@@ -6,7 +6,7 @@ jobs:
   conformance:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
         with:
           profile: minimal

.github/workflows/security-audit-cron.yml

@@ -6,7 +6,7 @@ jobs:
   audit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - uses: actions-rs/audit-check@35b7b53b1e25b55642157ac01b4adceb5b9ebef3 # v1.2.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/security-audit-reactive.yml

@@ -8,7 +8,7 @@ jobs:
   security_audit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - uses: actions-rs/audit-check@35b7b53b1e25b55642157ac01b4adceb5b9ebef3 # v1.2.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/tests.yml

@@ -7,7 +7,7 @@ jobs:
     name: Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
         with:
           profile: minimal
@@ -21,7 +21,7 @@ jobs:
     name: Check WASM
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
         with:
           profile: minimal
@@ -37,7 +37,7 @@ jobs:
     name: Test Suite
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
         with:
           profile: minimal
@@ -52,7 +52,7 @@ jobs:
     name: Rustfmt
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
         with:
           profile: minimal
@@ -68,7 +68,7 @@ jobs:
     name: Clippy
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
         with:
           profile: minimal

Cargo.toml

@@ -1,15 +1,15 @@
 [package]
 name = "sigstore"
 description = "An experimental crate to interact with sigstore"
-version = "0.8.0"
+version = "0.9.0"
 edition = "2021"
 authors = ["sigstore-rs developers"]
 license = "Apache-2.0"
 readme = "README.md"
 repository = "https://github.com/sigstore/sigstore-rs"
 
 [features]
-default = ["full-native-tls", "cached-client", "tuf", "sign", "verify"]
+default = ["full-native-tls", "cached-client", "sigstore-trust-root", "sign", "verify"]
 wasm = ["getrandom/js", "ring/wasm32_unknown_unknown_js"]
 
 full-native-tls = [
@@ -40,7 +40,7 @@ rekor-native-tls = ["reqwest/native-tls", "rekor"]
 rekor-rustls-tls = ["reqwest/rustls-tls", "rekor"]
 rekor = ["reqwest"]
 
-tuf = ["tough", "regex"]
+sigstore-trust-root = ["futures-util", "tough", "regex", "tokio/sync"]
 
 bundle = []
 sign = ["bundle"]
@@ -73,7 +73,7 @@ cached-client = ["cached"]
 
 [dependencies]
 async-trait = "0.1.52"
-base64 = "0.21.0"
+base64 = "0.22.0"
 cached = { version = "0.49.2", optional = true, features = ["async"] }
 cfg-if = "1.0.0"
 chrono = { version = "0.4.27", default-features = false, features = ["serde"] }
@@ -83,8 +83,10 @@ ecdsa = { version = "0.16.7", features = ["pkcs8", "digest", "der", "signing"] }
 ed25519 = { version = "2.2.1", features = ["alloc"] }
 ed25519-dalek = { version = "2.0.0-rc.2", features = ["pkcs8", "rand_core"] }
 elliptic-curve = { version = "0.13.5", features = ["arithmetic", "pem"] }
+futures = "0.3"
+futures-util = { version = "0.3.30", optional = true }
 lazy_static = "1.4.0"
-oci-distribution = { version = "0.10", default-features = false, optional = true }
+oci-distribution = { version = "0.11", default-features = false, optional = true }
 olpc-cjson = "0.1"
 openidconnect = { version = "3.0", default-features = false, features = [
   "reqwest",
@@ -103,7 +105,7 @@ pkcs8 = { version = "0.10.2", features = [
 rand = { version = "0.8.5", features = ["getrandom", "std"] }
 getrandom = "0.2.8"
 regex = { version = "1.5.5", optional = true }
-reqwest = { version = "0.11", default-features = false, features = [
+reqwest = { version = "0.12", default-features = false, features = [
   "json",
   "multipart",
 ], optional = true }
@@ -118,7 +120,7 @@ sigstore_protobuf_specs = "0.3.2"
 thiserror = "1.0.30"
 tokio = { version = "1.17.0", features = ["rt"] }
 tokio-util = { version = "0.7.10", features = ["io-util"] }
-tough = { version = "0.14", features = ["http"], optional = true }
+tough = { version = "0.17.1", features = ["http"], optional = true }
 tracing = "0.1.31"
 url = "2.2.2"
 x509-cert = { version = "0.2.5", features = ["builder", "pem", "std", "sct"] }
@@ -142,6 +144,7 @@ rstest = "0.18.1"
 serial_test = "3.0.0"
 tempfile = "3.3.0"
 testcontainers = "0.15"
+tokio = { version = "1.17.0", features = ["rt", "rt-multi-thread"] }
 tracing-subscriber = { version = "0.3.9", features = ["env-filter"] }
 
 # cosign example mappings

examples/cosign/sign/main.rs

@@ -18,7 +18,6 @@ use sigstore::cosign::constraint::{AnnotationMarker, PrivateKeySigner};
 use sigstore::cosign::{Constraint, CosignCapabilities, SignatureLayer};
 use sigstore::crypto::SigningScheme;
 use sigstore::registry::{Auth, ClientConfig, ClientProtocol, OciReference};
-use std::convert::TryFrom;
 use tracing::{debug, warn};
 use zeroize::Zeroizing;
 

examples/cosign/verify/main.rs

@@ -22,9 +22,7 @@ use sigstore::cosign::{CosignCapabilities, SignatureLayer};
 use sigstore::crypto::SigningScheme;
 use sigstore::errors::SigstoreVerifyConstraintsError;
 use sigstore::registry::{ClientConfig, ClientProtocol, OciReference};
-use sigstore::tuf::SigstoreRepository;
-use std::boxed::Box;
-use std::convert::TryFrom;
+use sigstore::trust::sigstore::SigstoreTrustRoot;
 use std::time::Instant;
 
 extern crate anyhow;
@@ -34,7 +32,6 @@ extern crate clap;
 use clap::Parser;
 
 use std::{collections::HashMap, fs};
-use tokio::task::spawn_blocking;
 
 extern crate tracing_subscriber;
 use tracing::{info, warn};
@@ -110,7 +107,7 @@ struct Cli {
 
 async fn run_app(
     cli: &Cli,
-    frd: &dyn sigstore::tuf::Repository,
+    frd: &dyn sigstore::trust::TrustRoot,
 ) -> anyhow::Result<(Vec<SignatureLayer>, VerificationConstraintVec)> {
     // Note well: this a limitation deliberately introduced by this example.
     if cli.cert_email.is_some() && cli.cert_url.is_some() {
@@ -133,7 +130,7 @@ async fn run_app(
 
     let mut client_builder =
         sigstore::cosign::ClientBuilder::default().with_oci_client_config(oci_client_config);
-    client_builder = client_builder.with_trust_repository(frd)?;
+    client_builder = client_builder.with_trust_repository(frd).await?;
 
     let cert_chain: Option<Vec<sigstore::registry::Certificate>> = match cli.cert_chain.as_ref() {
         None => None,
@@ -187,7 +184,7 @@ async fn run_app(
     }
     if let Some(path_to_cert) = cli.cert.as_ref() {
         let cert = fs::read(path_to_cert).map_err(|e| anyhow!("Cannot read cert: {:?}", e))?;
-        let require_rekor_bundle = if !frd.rekor_keys()?.is_empty() {
+        let require_rekor_bundle = if !frd.rekor_keys().await?.is_empty() {
             true
         } else {
             warn!("certificate based verification is weaker when Rekor integration is disabled");
@@ -228,19 +225,17 @@ async fn run_app(
     Ok((trusted_layers, verification_constraints))
 }
 
-async fn fulcio_and_rekor_data(cli: &Cli) -> anyhow::Result<Box<dyn sigstore::tuf::Repository>> {
+async fn fulcio_and_rekor_data(cli: &Cli) -> anyhow::Result<Box<dyn sigstore::trust::TrustRoot>> {
     if cli.use_sigstore_tuf_data {
-        let repo: sigstore::errors::Result<SigstoreRepository> = spawn_blocking(|| {
-            info!("Downloading data from Sigstore TUF repository");
-            SigstoreRepository::new(None)
-        })
-        .await
-        .map_err(|e| anyhow!("Error spawning blocking task inside of tokio: {}", e))?;
+        info!("Downloading data from Sigstore TUF repository");
+
+        let repo: sigstore::errors::Result<SigstoreTrustRoot> =
+            SigstoreTrustRoot::new(None).await?.prefetch().await;
 
         return Ok(Box::new(repo?));
     };
 
-    let mut data = sigstore::tuf::ManualRepository::default();
+    let mut data = sigstore::trust::ManualTrustRoot::default();
     if let Some(path) = cli.rekor_pub_key.as_ref() {
         data.rekor_key = Some(
             fs::read(path)

src/cosign/client_builder.rs

@@ -21,24 +21,24 @@ use crate::crypto::SigningScheme;
 use crate::crypto::{certificate_pool::CertificatePool, CosignVerificationKey};
 use crate::errors::Result;
 use crate::registry::ClientConfig;
-use crate::tuf::Repository;
+use crate::trust::TrustRoot;
 
 /// A builder that generates Client objects.
 ///
 /// ## Rekor integration
 ///
 /// Rekor integration can be enabled by specifying Rekor's public key.
-/// This can be provided via a [`crate::tuf::ManualRepository`].
+/// This can be provided via a [`crate::sigstore::ManualTrustRoot`].
 ///
-/// > Note well: the [`tuf`](crate::tuf) module provides helper structs and methods
+/// > Note well: the [`sigstore`](crate::sigstore) module provides helper structs and methods
 /// > to obtain this data from the official TUF repository of the Sigstore project.
 ///
 /// ## Fulcio integration
 ///
 /// Fulcio integration can be enabled by specifying Fulcio's certificate.
-/// This can be provided via a [`crate::tuf::ManualRepository`].
+/// This can be provided via a [`crate::sigstore::ManualTrustRoot`].
 ///
-/// > Note well: the [`tuf`](crate::tuf) module provides helper structs and methods
+/// > Note well: the [`sigstore`](crate::sigstore) module provides helper structs and methods
 /// > to obtain this data from the official TUF repository of the Sigstore project.
 ///
 /// ## Registry caching
@@ -71,8 +71,8 @@ impl<'a> ClientBuilder<'a> {
     /// Optional - Configures the roots of trust.
     ///
     /// Enables Fulcio and Rekor integration with the given trust repository.
-    /// See [crate::tuf::Repository] for more details on trust repositories.
-    pub fn with_trust_repository<R: Repository + ?Sized>(mut self, repo: &'a R) -> Result<Self> {
+    /// See [crate::sigstore::TrustRoot] for more details on trust repositories.
+    pub fn with_trust_repository<R: TrustRoot>(mut self, repo: &'a R) -> Result<Self> {
         let rekor_keys = repo.rekor_keys()?;
         if !rekor_keys.is_empty() {
             self.rekor_pub_key = Some(rekor_keys[0]);

src/cosign/mod.rs

@@ -48,7 +48,6 @@ use crate::crypto::{CosignVerificationKey, Signature};
 use crate::errors::SigstoreError;
 use base64::{engine::general_purpose::STANDARD as BASE64_STD_ENGINE, Engine as _};
 use pkcs8::der::Decode;
-use std::convert::TryFrom;
 use x509_cert::Certificate;
 
 pub mod bundle;
@@ -102,12 +101,12 @@ pub trait CosignCapabilities {
     /// must be satisfied:
     ///
     /// * The [`sigstore::cosign::Client`](crate::cosign::client::Client) must
-    ///   have been created with Rekor integration enabled (see [`crate::tuf::ManualRepository`])
+    ///   have been created with Rekor integration enabled (see [`crate::sigstore::ManualTrustRoot`])
     /// * The [`sigstore::cosign::Client`](crate::cosign::client::Client) must
-    ///   have been created with Fulcio integration enabled (see [`crate::tuf::ManualRepository])
+    ///   have been created with Fulcio integration enabled (see [`crate::sigstore::ManualTrustRoot])
     /// * The layer must include a bundle produced by Rekor
     ///
-    /// > Note well: the [`tuf`](crate::tuf) module provides helper structs and methods
+    /// > Note well: the [`sigstore`](crate::sigstore) module provides helper structs and methods
     /// > to obtain this data from the official TUF repository of the Sigstore project.
     ///
     /// When the embedded certificate cannot be verified, [`SignatureLayer::certificate_signature`]
@@ -284,7 +283,6 @@ where
 #[cfg(test)]
 mod tests {
     use serde_json::json;
-    use std::collections::HashMap;
     use webpki::types::CertificateDer;
 
     use super::constraint::{AnnotationMarker, PrivateKeySigner};
@@ -296,7 +294,7 @@ mod tests {
         AnnotationVerifier, CertSubjectEmailVerifier, VerificationConstraintVec,
     };
     use crate::crypto::certificate_pool::CertificatePool;
-    use crate::crypto::{CosignVerificationKey, SigningScheme};
+    use crate::crypto::SigningScheme;
 
     #[cfg(feature = "test-registry")]
     use testcontainers::{clients, core::WaitFor};

src/cosign/signature_layers.rs

@@ -17,7 +17,6 @@ use const_oid::ObjectIdentifier;
 use digest::Digest;
 use oci_distribution::client::ImageLayer;
 use serde::Serialize;
-use std::convert::TryFrom;
 use std::{collections::HashMap, fmt};
 use tracing::{debug, info, warn};
 use x509_cert::der::DecodePem;
@@ -550,8 +549,6 @@ pub(crate) mod tests {
     use super::*;
     use openssl::x509::X509;
     use serde_json::json;
-    use std::collections::HashMap;
-    use std::convert::TryFrom;
 
     use crate::cosign::tests::{get_fulcio_cert_pool, get_rekor_public_key};
 
@@ -876,7 +873,7 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ==
     use crate::cosign::bundle::Payload;
     use crate::crypto::tests::{generate_certificate, CertGenerationOptions};
     use crate::crypto::SigningScheme;
-    use chrono::{Duration, Utc};
+    use chrono::{TimeDelta, Utc};
 
     impl TryFrom<X509> for crate::registry::Certificate {
         type Error = anyhow::Error;
@@ -908,7 +905,9 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ==
             .try_into()?];
         let cert_pool = CertificatePool::from_certificates(certs, []).unwrap();
 
-        let integrated_time = Utc::now().checked_sub_signed(Duration::minutes(1)).unwrap();
+        let integrated_time = Utc::now()
+            .checked_sub_signed(TimeDelta::try_minutes(1).unwrap())
+            .unwrap();
         let bundle = Bundle {
             signed_entry_timestamp: "not relevant".to_string(),
             payload: Payload {
@@ -957,7 +956,9 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ==
             .try_into()?];
         let cert_pool = CertificatePool::from_certificates(certs, []).unwrap();
 
-        let integrated_time = Utc::now().checked_sub_signed(Duration::minutes(1)).unwrap();
+        let integrated_time = Utc::now()
+            .checked_sub_signed(TimeDelta::try_minutes(1).unwrap())
+            .unwrap();
         let bundle = Bundle {
             signed_entry_timestamp: "not relevant".to_string(),
             payload: Payload {
@@ -1005,7 +1006,9 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ==
             .try_into()?];
         let cert_pool = CertificatePool::from_certificates(certs, []).unwrap();
 
-        let integrated_time = Utc::now().checked_sub_signed(Duration::minutes(1)).unwrap();
+        let integrated_time = Utc::now()
+            .checked_sub_signed(TimeDelta::try_minutes(1).unwrap())
+            .unwrap();
         let bundle = Bundle {
             signed_entry_timestamp: "not relevant".to_string(),
             payload: Payload {

src/cosign/verification_constraint/cert_subject_email_verifier.rs

@@ -126,7 +126,6 @@ mod tests {
         build_correct_signature_layer_with_certificate,
         build_correct_signature_layer_without_bundle,
     };
-    use crate::cosign::signature_layers::CertificateSubject;
     use crate::cosign::verification_constraint::CertSubjectUrlVerifier;
 
     #[test]

src/cosign/verification_constraint/cert_subject_url_verifier.rs

@@ -74,7 +74,6 @@ mod tests {
         build_correct_signature_layer_with_certificate,
         build_correct_signature_layer_without_bundle,
     };
-    use crate::cosign::signature_layers::CertificateSubject;
     use crate::cosign::verification_constraint::CertSubjectEmailVerifier;
 
     #[test]