Cache the location of the remote repository when running cosign initialize #1315
Conversation
Signed-off-by: Asra Ali <[email protected]> Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
|
addressed the JSON comment and added a test! @haydentherapper |
| // RemoteCache contains information to cache on the location of the remote | ||
| // repository. | ||
| type remoteCache struct { | ||
| Mirror string `json:"mirror"` |
There was a problem hiding this comment.
To avoid exporting, should we use lowercase mirror? Since remoteCache isn't exported, we shouldn't need to export the struct variable
There was a problem hiding this comment.
If it's not exported json won't serialize it :/
There was a problem hiding this comment.
Ah that's unfortunate, oh well
pkg/cosign/tuf/client_test.go
Outdated
| updateTufRepo(t, td, r, "foo1") | ||
|
|
||
| // Force expiration on the first timestamp. | ||
| expCleanup = forceExpirationVersion(1, false) |
There was a problem hiding this comment.
To clarify, why do we need to force the expiration again for version 1, after it's been done on line 180?
There was a problem hiding this comment.
There's two places where we're forcing verification to fail -- once in cosign when we check specifically for the timestamp, and once internally in go-tuf. The first call disables both so that internal go-tuf actually fails when calling Update() (otherwise NewFromEnv will enventually pass -- fails on our check, then passes with the Update).
In the second call, we want to make cosign think it needs to fetch an update because the timestamp v1 is expired, but let Update fetch all the latest data from remote without forcing failure.
AS I WRITE THIS: I realize I should just split this up to to only cleanup the internal go-tuf force failure. Thanks :)
Signed-off-by: Asra Ali <[email protected]>
…alize (sigstore#1315) * store remote Signed-off-by: Asra Ali <[email protected]> Signed-off-by: Asra Ali <[email protected]> * add test Signed-off-by: Asra Ali <[email protected]> * use json struct for cached remote info Signed-off-by: Asra Ali <[email protected]> * update lint Signed-off-by: Asra Ali <[email protected]> * update Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali [email protected]
Summary
Caches the remote repository location so that updates will pull from the cached remote instead of defaulting to the sigstore GCS bucket. This allows clients to automatically pull updates from their custom root when their root is expired and avoids a local/remote mismatch.
Ticket Link
This fixes #1289 per @rgerganov and #1293
Release Note