diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index f2c0857..92aa77f 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -115,6 +115,9 @@ jobs: helm install attest-provider charts/attest-provider \ --set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \ --set image="docker/attest-provider:dev" \ + --set tufRoot=staging \ + --set tufMetadataSource=https://docker.github.io/tuf-staging/metadata \ + --set tufTargetsSource=https://docker.github.io/tuf-staging/targets \ --namespace security \ --wait --debug diff --git a/charts/attest-provider/values.yaml b/charts/attest-provider/values.yaml index 1ea3672..cc607f6 100644 --- a/charts/attest-provider/values.yaml +++ b/charts/attest-provider/values.yaml @@ -5,13 +5,18 @@ clientCAFile: /tmp/gatekeeper/ca.crt port: 8090 replicas: 1 -# uncomment these lines to use the dev TUF root +# uncomment these lines to use other TUF root environments # tufRoot: dev # tufMetadataSource: https://docker.github.io/tuf-dev/metadata # tufTargetsSource: https://docker.github.io/tuf-dev/targets +# +# tufRoot: staging +# tufMetadataSource: registry-1.docker.io/docker/tuf-metadata-staging +# tufTargetsSource: registry-1.docker.io/docker/tuf-targets-staging -tufMetadataSource: https://docker.github.io/tuf-staging/metadata -tufTargetsSource: https://docker.github.io/tuf-staging/targets +tufRoot: prod +tufMetadataSource: registry-1.docker.io/docker/tuf-metadata +tufTargetsSource: registry-1.docker.io/docker/tuf-targets attestationStyle: referrers diff --git a/internal/embed/embedded-roots/1.root.json b/internal/embed/embedded-roots/1.root.json new file mode 100644 index 0000000..0b98a6b --- /dev/null +++ b/internal/embed/embedded-roots/1.root.json @@ -0,0 +1,152 @@ +{ + "signatures": [ + { + "keyid": "08d6f4ca1d0be93a6ceddca15051c0aeec6b98c73e29f3a714de301042d6eeee", + "sig": "306502307ddba543fbd1b9e2ccbee604349024e62bbb1a37906bbd5605a7403fbdb51b701b52f5fcd1b0a0ebfaeef97fa9c344f8023100c37ab675fe96b3976469a5e0cc8a5ffb5d8d6de15020f493d7cf28b0c7e60f450b65c02bfbac0e40642863a1ae3bfa4a" + }, + { + "keyid": "3ebd40525193d7628d0b9eccd4771df7297bc87519ec6f312863bb4470966bea", + "sig": "3065023100bc963925fb139dd65653b5e9640572876c5bcd0a3f8bb81e4b0cbd397c10ec4fa0aed7942d77ec78b865e14c72e20e76023043ce7ff39067f054d6d2eaca5dd5176b2c25e27bd763b4ef873aaf4c75762bfb085bb766613692b68206ea0df2863426" + }, + { + "keyid": "9c8e1be7d8d0e30656adc81ac201e05cb47a5a097d4d301fd121b77c320231c4", + "sig": "306502307e82d7bc0c66074b06cfc13bac3761c8f677eef252c08448eb33c0249569500e8be2a1ae78c87b5888ed80d088f97fbb023100c358c6ebe18d237bae9a9daeaf2db82297cda8eca635fc22719142740fb23b32eac0341754dd2a85b684c46e3a087ada" + }, + { + "keyid": "373d0a38247919a78cf400cf9a90abb9aa23a3c3dce1deee995fdd6a81507117", + "sig": "306402305d9b5fdf3b24240b266a7ae7e02bbcadce8e06f8c111dcef03282faa0baaffb8114653cecda3da115d7859f657508d4f02304b5939fc4404f9e1e8b9d3eb49e195a779b501bd4000cef6cff7a8e657020176dae99cce2a7300b88e549d427278309c" + }, + { + "keyid": "48a873aa6c4189804228590af4d48ee5ad3b76417592efdbcef2532401925669", + "sig": "306402306bc5f44621c0d6e18ce16155ebc7890def8fb283859175f7a8425190f0f233e4270b2688df05b017cfc852dee30f9f5b023016572d059d6f27968976df2aaff8238ee0970cea229e5ef30350f2c91347b04e794683da69cf6afe6cf9206dcebc81f4" + } + ], + "signed": { + "_type": "root", + "consistent_snapshot": true, + "expires": "2025-06-04T15:05:22Z", + "keys": { + "08d6f4ca1d0be93a6ceddca15051c0aeec6b98c73e29f3a714de301042d6eeee": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEC4ggHc/D9koyS1/AMNsMGiydM2jDzdsI\nrkC/nyZf8d4UtYJJRxuFRfmyKw9Mh0Ulw/IIyf8ZW2NsnkHgJwGre9/Ici6uomOX\n8yAOlX0Du/oAa7v4igCG7tsW0Z1ljAID\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp384", + "x-tuf-on-ci-keyowner": "@jeanlaurent" + }, + "2ff207ae7d7b595ef69589622067ef5b6668e1a43081377d942ed8749fa919b4": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE5pyJ/RXlRO/a2WBSAprikm+VVPqZGC1M\nqgVXE3avwqb9d9lPc9Cphfd4CIAzPCKgeUkGMzQWcC1OwVjOwiB+GRq2Owf7T8pa\nKUe/zRoLjAlUnzUITHP226L1DmQ6Swos\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp384", + "x-tuf-on-ci-keyowner": "@kipz" + }, + "373d0a38247919a78cf400cf9a90abb9aa23a3c3dce1deee995fdd6a81507117": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAER2zST05lNvybLsSe4UA/hiUrJbA6aFyz\nDimwewwbHvw+gt29EHYtHPqTlO/hSZD5vqZ94Cga9rDsOm3eI5bPkPHApUjw4W7u\n5lDnxuuFKluQ7EiUbswUN0ONTPnmY7Wo\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp384", + "x-tuf-on-ci-keyowner": "@binman-docker" + }, + "3ebd40525193d7628d0b9eccd4771df7297bc87519ec6f312863bb4470966bea": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE9C53JKQtD1RYLiSwmR4XRhI7jf28W9TK\nhV3aXW0Z87JyJ4wGNOFnGRE6PuEh7Bbu4ecH0PpsEoirWzzRIgBMR3yHVCSkFBDu\nqfycsInCTAS1jvzLiDHciKXENxAWARHj\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp384", + "x-tuf-on-ci-keyowner": "@ingshtrom" + }, + "48a873aa6c4189804228590af4d48ee5ad3b76417592efdbcef2532401925669": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEpQrE8o+fz6kBrs3TD6zqcDPwRZf3FxOX\n+SiT0k3SL1JHsMbxwFAKq+wJzqpqbhzFySuO1VVT93xNDd/rmjEU6HSY7wvT0m/l\nZ0S7yIwl3UnlplzKUYg/8wWJM0C2Qdpj\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp384", + "x-tuf-on-ci-keyowner": "@cdupuis" + }, + "6132f1f2dd14bf3e9ba1a8df4c8435a77d2fd57f4a99bbb699ae61f85907818e": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEkFPn3WTH/xVIEFhdP/TCqtnuiOqdgb/v\nEIBjng1TBCVmr7NnW4y4bdZG4Tf9OVTSqlJzuUFThJT/JQR3M7xEzW9WJqUfBTS1\nUuF980elHtMpRkS3NtRp/T0IrkH7+COa\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp384", + "x-tuf-on-ci-keyowner": "@jonnystoten" + }, + "9c8e1be7d8d0e30656adc81ac201e05cb47a5a097d4d301fd121b77c320231c4": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEWDreR+iXRtTStv5zmCLGoSmvvfV9/agY\nkx4O1XpRinBwAAA/IO4MI+YCoY0EQpKlSxl0DoVe6hmiXq2ezjTbebGDO66+fTZH\nkrr4KiCsZ8QcdPAR2cUvXkgyBp0WtYYS\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp384", + "x-tuf-on-ci-keyowner": "@rachel-taylor-docker" + }, + "aef160e03958d5346c903dda755c07e952127ef523df5ec33bd9b24d41fe1cf4": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5gH1kg/MZeiF/GO222hxMerv7MBC\nn91IJG8BbYWKmqZm2za+/QDyrMZExTguYlutu77jZqbkRZEFb/LbL4Ntuw==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-online-uri": "awskms:arn:aws:kms:us-east-1:654654578585:key/751429f1-0aea-4bd8-b450-bb1bce6b058f" + }, + "cda750ab29ce33e19ad2fdee4204ad0190b0a33f79e1c5c18a38992d576143d7": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYTPARe9DPvvVVf7ch5fTVWXtS9FS97lh\nyZr3Pk33qRprnVB9u7BaEzvQtTYycPO7cmYW5yTOC5ZZa9p2B/v15bOK4NTU0WTT\nXTwSgKmJDh8CD/PBp386S8cwyyIp7NiR\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp384", + "x-tuf-on-ci-keyowner": "@whalelines" + }, + "f2149d8b7c1ece56d87d81f27fa68b745efc841892b3acfa382ad7f611e612ec": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEtWRLfl1pLhd5pn4gOmiCQwxE68U0+mIl\n1sU9ugeUz2aCZ9GcTjDNFE/7ZOat74ajeaFi9zmdeCi3UTYioLXNOXfbN6mxM9iQ\nGG3Z5OWYsZpeAv+5jhly2JeWUhFTuJpd\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp384", + "x-tuf-on-ci-keyowner": "@mrjoelkamp" + } + }, + "roles": { + "root": { + "keyids": [ + "08d6f4ca1d0be93a6ceddca15051c0aeec6b98c73e29f3a714de301042d6eeee", + "3ebd40525193d7628d0b9eccd4771df7297bc87519ec6f312863bb4470966bea", + "9c8e1be7d8d0e30656adc81ac201e05cb47a5a097d4d301fd121b77c320231c4", + "373d0a38247919a78cf400cf9a90abb9aa23a3c3dce1deee995fdd6a81507117", + "48a873aa6c4189804228590af4d48ee5ad3b76417592efdbcef2532401925669" + ], + "threshold": 3 + }, + "snapshot": { + "keyids": [ + "aef160e03958d5346c903dda755c07e952127ef523df5ec33bd9b24d41fe1cf4" + ], + "threshold": 1, + "x-tuf-on-ci-expiry-period": 365, + "x-tuf-on-ci-signing-period": 60 + }, + "targets": { + "keyids": [ + "f2149d8b7c1ece56d87d81f27fa68b745efc841892b3acfa382ad7f611e612ec", + "2ff207ae7d7b595ef69589622067ef5b6668e1a43081377d942ed8749fa919b4", + "6132f1f2dd14bf3e9ba1a8df4c8435a77d2fd57f4a99bbb699ae61f85907818e", + "cda750ab29ce33e19ad2fdee4204ad0190b0a33f79e1c5c18a38992d576143d7" + ], + "threshold": 2 + }, + "timestamp": { + "keyids": [ + "aef160e03958d5346c903dda755c07e952127ef523df5ec33bd9b24d41fe1cf4" + ], + "threshold": 1, + "x-tuf-on-ci-expiry-period": 2, + "x-tuf-on-ci-signing-period": 1 + } + }, + "spec_version": "1.0.31", + "version": 1, + "x-tuf-on-ci-expiry-period": 365, + "x-tuf-on-ci-signing-period": 60 + } +} \ No newline at end of file diff --git a/internal/embed/root.go b/internal/embed/root.go index 67259ab..ae9f0d6 100644 --- a/internal/embed/root.go +++ b/internal/embed/root.go @@ -10,4 +10,7 @@ var DevRoot []byte //go:embed embedded-roots/1.root-staging.json var StagingRoot []byte -var DefaultRoot = StagingRoot +//go:embed embedded-roots/1.root.json +var ProdRoot []byte + +var DefaultRoot = ProdRoot diff --git a/main.go b/main.go index 50cafaa..2d13c5f 100644 --- a/main.go +++ b/main.go @@ -62,13 +62,8 @@ func init() { flag.StringVar(&certDir, "cert-dir", "", "path to directory containing TLS certificates") flag.StringVar(&clientCAFile, "client-ca-file", "", "path to client CA certificate") flag.IntVar(&port, "port", defaultPort, "Port for the server to listen on") - flag.StringVar(&tufRoot, "tuf-root", "staging", "specify embedded tuf root [dev, staging], default [staging]") - - if tufRoot != "dev" && tufRoot != "staging" { - klog.Errorf("invalid tuf root: %s", tufRoot) - os.Exit(1) - } + flag.StringVar(&tufRoot, "tuf-root", "prod", "specify embedded tuf root [dev, staging, prod], default [prod]") flag.StringVar(&metadataURL, "tuf-metadata-source", defaultMetadataURL, "source (URL or repo) for TUF metadata") flag.StringVar(&targetsURL, "tuf-targets-source", defaultTargetsURL, "source (URL or repo) for TUF targets") flag.StringVar(&tufoutputPath, "tuf-output-path", defaultTUFOutputPath, "local dir to store TUF repo metadata") diff --git a/pkg/handler/validate.go b/pkg/handler/validate.go index ac886e9..d3ffef4 100644 --- a/pkg/handler/validate.go +++ b/pkg/handler/validate.go @@ -66,6 +66,10 @@ func (h *validateHandler) createTUFClient() (*tuf.TufClient, error) { rootBytes = embed.DevRoot case "staging": rootBytes = embed.StagingRoot + case "prod": + rootBytes = embed.ProdRoot + case "": + rootBytes = embed.DefaultRoot default: return nil, fmt.Errorf("invalid tuf root: %s", h.opts.TUFRoot) }