Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transition to the newest version of TUF #561

Open
wants to merge 93 commits into
base: master
Choose a base branch
from
Open

Transition to the newest version of TUF #561

wants to merge 93 commits into from

Conversation

renatav
Copy link
Collaborator

@renatav renatav commented Oct 29, 2024
edited
Loading

Description (e.g. "Related to ...", etc.)

Closes #274

Also implemented/addressed:
Closes #501
Closes #555
Closes #560

Code review checklist (for code reviewer to complete)

  • Pull request represents a single change (i.e. not fixing disparate/unrelated things in a single PR)
  • Title summarizes what is changing
  • Commit messages are meaningful (see this for details)
  • Tests have been included and/or updated, as appropriate
  • Docstrings have been included and/or updated, as appropriate
  • Changelog has been updated, as needed (see CHANGELOG.md)

lukpueh and others added 30 commits August 28, 2024 12:06
@lukpueh
Update tuf, securesystemslib and cryptography deps
60b8fa9 
Remove unused pyopenssl

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
Add alternative TUF metadata repo implementation
f62907e 
Implements basic primitives, defined by the python-tuf Repository
abstraction, to read and edit metadata on disk, handling version and
expiry bumps, and signature creation, and facilitating snapshot and
timestamp creation.

And adds exemplary API methods that use these primitives while
preserving consistent repo states:
- create
- add_target_files
- add_keys

Can be tested with:
```
PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 pytest --noconftest taf/tests/tuf/
```

More detailed usage docs + migration path TBD...

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
Change create and add_keys API to take signers
ad2b58f 
The original design aimed at separating the concepts of delegation
(adding public keys) and signing (using private keys).

Since the MetadataRepository assumes that metadata can be signed
rightaway after edit (e.g. after having added a delegation), which in
turn requires private keys to be available, we might as well conflate
these two concepts.

The advantage is that the signer cache does not have to be managed
independently and is more likely to stay in sync with the delegations.

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
Make sure targets is signed on add key
b46645b 
Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
Assert keytype rsa in taf.tuf.keys helper
33750eb 
This should really happen upstream (see linked issue)

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
Add signer implementation for Yubikeys
42fbfac 
YkSigner provides a minimal compatibility layer over `taf.yubikey`
module functions for use with MetadataRepository.

Even though a yubikey signer implementation (HSMSigner) based on
pykcs11 is available in securesystemslib, YkSigner was added for the
following reasons:

- TAF requires rsa support for yubikeys, but HSMSigner only supports
  ecdsa. Adding rsa support to HSMSigner, or providing a custom
  pykcs11-based RSAHSMSigner is feasible, and seems desirable, but
  requires more effort than this YkSigner did.

- TAF provides a few additional features, like setting up a Yubikey,
  changing pins, etc., which will not be added to securesystemslib.
  This means the current Yubikey infrastructure based on yubikey-manager
  needs to be preserved for the time being. Thus it made sense to
  re-use the existing implementation for YkSigner.

- YkSigner show-cases the new Signer API and might be used as blue print
  for future Signer implementations in TAF.

This commit adds basic tests with fake and real Yubikey:

```
REAL_YK=1 PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 \
    pytest --noconftest  taf/tests/tuf/ taf/tests/tuf/test_yk.py -s
```

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
Comment out legacy imports (WIP)
25371d7 
This allows running previously added YkSigner tests, but breaks
other things, which need change anyway in the course of upgrading to
latest tuf/securesystemslib.

Signed-off-by: Lukas Puehringer <[email protected]>
@renatav
Merge branch 'feature/tuf-repositoty' into tuf-upgrade
ec294a8
@renatav
Merge pull request #512 from lukpueh/tuf-upgrade
70927b7 
Add alternative TUF metadata repo implementation (WIP)
@renatav
feat: moved get threshold to the new repository class, implement dele…
9bf3fb9 
…gated role lookup
@renatav
refact: move get expiration date, get all targets and check expiratio…
c7be3cb 
…n dates to the new repository class
@renatav
refact: move get role paths and all target files to the new repositor…
7601b9b 
…y class
@renatav
refact: work on making the create repository method more flexible
b8d247e
@renatav
refact: extend creation of repositories using the new TUF, added supp…
ade9af1 
…ort for delegations
@renatav
test: add create repository with delegations test
f1c1b6c
@renatav
test: use repository created using create in tests
ea05769
@renatav
test, refact: reorganize tests, implement keyid-roles mapping using t…
c9857d0 
…he new tuf
@renatav
test: re-enabled add target test
b7eb34a
@renatav
refact: moved modify targets to the new repository class
ccb94b8
@renatav
test: create test repos with target files and custom data
43af588
@renatav
refac, test: move get_all_target_files_state to the new repository cl…
feb7b53 
…ass and added tests
@renatav
refact: move generate_roles_description to the new repository class
3202900
@renatav
test, refact: minor tests refactoring, reimplement is_valid_metadata_key
af59138
@renatav
refact: test: reimplement add metadata keys, enable keys tests
51d63c9
@renatav
feat, test: implement revoke key
e57b8e3
@renatav
test, fix: minor add and revoke key improvements
abeaa2c
@renatav
refact, test: initial work on reworking signing, add set expiration d…
f3bc1f7 
…ate test
@renatav
refact: remeve outdated imports
2681d4a
@renatav
refact: check and set expiration date reimplemented
0d67dd5
@renatav
refact: update key generation
ba7d3eb
@renatav renatav force-pushed the feature/tuf-repositoty branch from 05403cb to d3d7263 Compare November 29, 2024 11:21
@renatav renatav force-pushed the feature/tuf-repositoty branch from ebd033a to 3000095 Compare November 29, 2024 20:55
@renatav renatav force-pushed the feature/tuf-repositoty branch from 61919f0 to 385a0be Compare November 30, 2024 04:05
@renatav renatav force-pushed the feature/tuf-repositoty branch from 385a0be to ff146df Compare November 30, 2024 04:07
@renatav renatav changed the base branch from dev to master November 30, 2024 04:19
@renatav renatav changed the title Feature/tuf repositoty Transition to the newest version of TUF Nov 30, 2024
@renatav renatav self-assigned this Nov 30, 2024
@renatav renatav marked this pull request as ready for review November 30, 2024 04:50
@renatav renatav requested review from n-dusan and sale3 November 30, 2024 04:50
@renatav renatav force-pushed the feature/tuf-repositoty branch 2 times, most recently from 6ee2279 to ada9ead Compare December 4, 2024 20:52
@renatav renatav force-pushed the feature/tuf-repositoty branch from ada9ead to 6410f52 Compare December 4, 2024 21:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@n-dusan n-dusan Awaiting requested review from n-dusan

@sale3 sale3 Awaiting requested review from sale3

At least 1 approving review is required to merge this pull request.

Assignees

@renatav renatav

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@renatav @lukpueh