`policy.Options` now contains the arguments to `tuf.Client`'s constructor rather than an actual Client. If these arguments are not provided, defaults pointing at Docker's TUF repo will be used. An actual TUF client can be passed in on the context (which is useful for testing). If this is not provided `attest.Verify` will create a TUF client using the options on `policy.Options`. --------- Co-authored-by: Joel Kamp <joel.kamp@docker.com>
42 lines
1.0 KiB
Go
42 lines
1.0 KiB
Go
package tuf_test
|
|
|
|
import (
|
|
"os"
|
|
"path/filepath"
|
|
|
|
"github.com/docker/attest/pkg/tuf"
|
|
"github.com/theupdateframework/go-tuf/v2/metadata"
|
|
)
|
|
|
|
func ExampleNewClient_registry() {
|
|
// create a tuf client
|
|
home, err := os.UserHomeDir()
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
tufOutputPath := filepath.Join(home, ".docker", "tuf")
|
|
|
|
// using oci tuf metadata and targets
|
|
metadataURI := "registry-1.docker.io/docker/tuf-metadata:latest"
|
|
targetsURI := "registry-1.docker.io/docker/tuf-targets"
|
|
|
|
registryClient, err := tuf.NewClient(&tuf.ClientOptions{tuf.DockerTUFRootStaging.Data, tufOutputPath, metadataURI, targetsURI, tuf.NewMockVersionChecker()})
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
// get trusted tuf metadata
|
|
trustedMetadata := registryClient.GetMetadata()
|
|
|
|
// top-level target files
|
|
targets := trustedMetadata.Targets[metadata.TARGETS].Signed.Targets
|
|
|
|
for _, t := range targets {
|
|
// download target files
|
|
_, err := registryClient.DownloadTarget(t.Path, filepath.Join(tufOutputPath, "download"))
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
}
|
|
}
|