Skip to content

Commit

Permalink
Update vendored trusted roots (#112)
Browse files Browse the repository at this point in the history 
* Update vendored trusted roots

Signed-off-by: Samuel Giddins <[email protected]>

* Move refreshing the TUF store out of initializer

Signed-off-by: Samuel Giddins <[email protected]>

* Update vcr cassettes for new vendored trust root

Signed-off-by: Samuel Giddins <[email protected]>

---------

Signed-off-by: Samuel Giddins <[email protected]>
  • Loading branch information
@segiddins
segiddins authored Sep 26, 2024
1 parent db87448 commit 3379a9f
Show file tree
Hide file tree
Showing 15 changed files with 1,184 additions and 694 deletions.
25 changes: 21 additions & 4 deletions .gitleaksignore
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,21 @@
data/_store/staging/root.json:generic-api-key:20
data/_store/staging/root.json:generic-api-key:24
data/_store/staging/root.json:generic-api-key:28
data/_store/staging/root.json:generic-api-key:32
fixtures/vcr_cassettes/conformance/verify_bundle_success.yml:generic-api-key:115
fixtures/vcr_cassettes/production.yml:generic-api-key:115
fixtures/vcr_cassettes/conformance/verify_bundle_success.yml:generic-api-key:200
fixtures/vcr_cassettes/production.yml:generic-api-key:200
fixtures/vcr_cassettes/conformance/verify_signature_invalid.yml:generic-api-key:115
fixtures/vcr_cassettes/conformance/verify_signature_invalid.yml:generic-api-key:200
fixtures/vcr_cassettes/conformance/verify_signature_invalid.yml:generic-api-key:320
fixtures/vcr_cassettes/conformance/verify_signature_invalid.yml:generic-api-key:324
fixtures/vcr_cassettes/conformance/verify_signature_invalid.yml:generic-api-key:328
fixtures/vcr_cassettes/conformance/verify_signature_invalid.yml:generic-api-key:332
fixtures/vcr_cassettes/conformance/verify_signature_invalid.yml:generic-api-key:336
fixtures/vcr_cassettes/production.yml:generic-api-key:320
fixtures/vcr_cassettes/production.yml:generic-api-key:324
fixtures/vcr_cassettes/production.yml:generic-api-key:328
fixtures/vcr_cassettes/production.yml:generic-api-key:332
fixtures/vcr_cassettes/production.yml:generic-api-key:336
fixtures/vcr_cassettes/conformance/verify_bundle_success.yml:generic-api-key:320
fixtures/vcr_cassettes/conformance/verify_bundle_success.yml:generic-api-key:324
fixtures/vcr_cassettes/conformance/verify_bundle_success.yml:generic-api-key:328
fixtures/vcr_cassettes/conformance/verify_bundle_success.yml:generic-api-key:332
fixtures/vcr_cassettes/conformance/verify_bundle_success.yml:generic-api-key:336
1 change: 1 addition & 0 deletions Rakefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ task :update_data do
}.each do |name, url|
Dir.mktmpdir do |dir|
updater = Sigstore::TUF::TrustUpdater.new(url, false, metadata_dir: dir, targets_dir: dir).updater
updater.refresh
updater.download_target(updater.get_targetinfo("trusted_root.json"))
cp File.join(dir, "trusted_root.json"), "data/_store/#{name}/trusted_root.json"
cp File.join(dir, "root.json"), "data/_store/#{name}/root.json"
Expand Down
27 changes: 0 additions & 27 deletions bin/steep
View file

This file was deleted.

325 changes: 163 additions & 162 deletions data/_store/prod/root.json
View file
Original file line number Diff line number Diff line change
@@ -1,164 +1,165 @@
{
"signed": {
"_type": "root",
"spec_version": "1.0",
"version": 9,
"expires": "2024-09-12T06:53:10Z",
"keys": {
"1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849": {
"keytype": "ecdsa",
"scheme": "ecdsa-sha2-nistp256",
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzBzVOmHCPojMVLSI364WiiV8NPrD\n6IgRxVliskz/v+y3JER5mcVGcONliDcWMC5J2lfHmjPNPhb4H7xm8LzfSA==\n-----END PUBLIC KEY-----\n"
}
},
"230e212616274a4195cdc28e9fce782c20e6c720f1a811b40f98228376bdd3ac": {
"keytype": "ecdsa",
"scheme": "ecdsa-sha2-nistp256",
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF\n0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==\n-----END PUBLIC KEY-----\n"
}
},
"3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e": {
"keytype": "ecdsa",
"scheme": "ecdsa-sha2-nistp256",
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n"
}
},
"923bb39e60dd6fa2c31e6ea55473aa93b64dd4e53e16fbe42f6a207d3f97de2d": {
"keytype": "ecdsa",
"scheme": "ecdsa-sha2-nistp256",
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n"
}
},
"e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523": {
"keytype": "ecdsa",
"scheme": "ecdsa-sha2-nistp256",
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n"
}
},
"ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e": {
"keytype": "ecdsa",
"scheme": "ecdsa-sha2-nistp256",
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n"
}
},
"fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f": {
"keytype": "ecdsa",
"scheme": "ecdsa-sha2-nistp256",
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n"
}
}
},
"roles": {
"root": {
"keyids": [
"3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e",
"ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e",
"1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849",
"e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523",
"fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f"
],
"threshold": 3
},
"snapshot": {
"keyids": [
"230e212616274a4195cdc28e9fce782c20e6c720f1a811b40f98228376bdd3ac"
],
"threshold": 1
},
"targets": {
"keyids": [
"3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e",
"ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e",
"1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849",
"e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523",
"fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f"
],
"threshold": 3
},
"timestamp": {
"keyids": [
"923bb39e60dd6fa2c31e6ea55473aa93b64dd4e53e16fbe42f6a207d3f97de2d"
],
"threshold": 1
}
},
"consistent_snapshot": true
},
"signatures": [
{
"keyid": "ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c",
"sig": "30450221008b78f894c3cfed3bd486379c4e0e0dfb3e7dd8cbc4d5598d2818eea1ba3c7550022029d3d06e89d04d37849985dc46c0e10dc5b1fc68dc70af1ec9910303a1f3ee2f"
},
{
"keyid": "25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99",
"sig": "30450221009e6b90b935e09b837a90d4402eaa27d5ea26eb7891948ba0ed7090841248f436022003dc2251c4d4a7999b91e9ad0868765ae09ac7269279f2a7899bafef7a2d9260"
},
{
"keyid": "f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f",
"sig": "30440220099e907dcf90b7b6e109fd1d6e442006fccbb48894aaaff47ab824b03fb35d0d02202aa0a06c21a4233f37900a48bc8777d3b47f59e3a38616ce631a04df57f96736"
},
{
"keyid": "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e",
"sig": "30450221008b78f894c3cfed3bd486379c4e0e0dfb3e7dd8cbc4d5598d2818eea1ba3c7550022029d3d06e89d04d37849985dc46c0e10dc5b1fc68dc70af1ec9910303a1f3ee2f"
},
{
"keyid": "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e",
"sig": "30450221009e6b90b935e09b837a90d4402eaa27d5ea26eb7891948ba0ed7090841248f436022003dc2251c4d4a7999b91e9ad0868765ae09ac7269279f2a7899bafef7a2d9260"
},
{
"keyid": "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523",
"sig": "304502200e5613b901e0f3e08eceabddc73f98b50ddf892e998d0b369c6e3d451ac48875022100940cf92d1f43ee2e5cdbb22572bb52925ed3863a688f7ffdd4bd2e2e56f028b3"
},
{
"keyid": "2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de",
"sig": "304502202cff44f2215d7a47b28b8f5f580c2cfbbd1bfcfcbbe78de323045b2c0badc5e9022100c743949eb3f4ea5a4b9ae27ac6eddea1f0ff9bfd004f8a9a9d18c6e4142b6e75"
},
{
"keyid": "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849",
"sig": "30440220099e907dcf90b7b6e109fd1d6e442006fccbb48894aaaff47ab824b03fb35d0d02202aa0a06c21a4233f37900a48bc8777d3b47f59e3a38616ce631a04df57f96736"
},
{
"keyid": "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f",
"sig": "304502202cff44f2215d7a47b28b8f5f580c2cfbbd1bfcfcbbe78de323045b2c0badc5e9022100c743949eb3f4ea5a4b9ae27ac6eddea1f0ff9bfd004f8a9a9d18c6e4142b6e75"
},
{
"keyid": "7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b",
"sig": "304502200e5613b901e0f3e08eceabddc73f98b50ddf892e998d0b369c6e3d451ac48875022100940cf92d1f43ee2e5cdbb22572bb52925ed3863a688f7ffdd4bd2e2e56f028b3"
}
]
"signatures": [
{
"keyid": "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3",
"sig": "30460221008ab1f6f17d4f9e6d7dcf1c88912b6b53cc10388644ae1f09bc37a082cd06003e022100e145ef4c7b782d4e8107b53437e669d0476892ce999903ae33d14448366996e7"
},
{
"keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2",
"sig": "3045022100c768b2f86da99569019c160a081da54ae36c34c0a3120d3cb69b53b7d113758e02204f671518f617b20d46537fae6c3b63bae8913f4f1962156105cc4f019ac35c6a"
},
{
"keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06",
"sig": "3045022100b4434e6995d368d23e74759acd0cb9013c83a5d3511f0f997ec54c456ae4350a022015b0e265d182d2b61dc74e155d98b3c3fbe564ba05286aa14c8df02c9b756516"
},
{
"keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222",
"sig": "304502210082c58411d989eb9f861410857d42381590ec9424dbdaa51e78ed13515431904e0220118185da6a6c2947131c17797e2bb7620ce26e5f301d1ceac5f2a7e58f9dcf2e"
},
{
"keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70",
"sig": "3046022100c78513854cae9c32eaa6b88e18912f48006c2757a258f917312caba75948eb9e022100d9e1b4ce0adfe9fd2e2148d7fa27a2f40ba1122bd69da7612d8d1776b013c91d"
},
{
"keyid": "fdfa83a07b5a83589b87ded41f77f39d232ad91f7cce52868dacd06ba089849f",
"sig": "3045022056483a2d5d9ea9cec6e11eadfb33c484b614298faca15acf1c431b11ed7f734c022100d0c1d726af92a87e4e66459ca5adf38a05b44e1f94318423f954bae8bca5bb2e"
},
{
"keyid": "e2f59acb9488519407e18cbfc9329510be03c04aca9929d2f0301343fec85523",
"sig": "3046022100d004de88024c32dc5653a9f4843cfc5215427048ad9600d2cf9c969e6edff3d2022100d9ebb798f5fc66af10899dece014a8628ccf3c5402cd4a4270207472f8f6e712"
},
{
"keyid": "3c344aa068fd4cc4e87dc50b612c02431fbc771e95003993683a2b0bf260cf0e",
"sig": "3046022100b7b09996c45ca2d4b05603e56baefa29718a0b71147cf8c6e66349baa61477df022100c4da80c717b4fa7bba0fd5c72da8a0499358b01358b2309f41d1456ea1e7e1d9"
},
{
"keyid": "ec81669734e017996c5b85f3d02c3de1dd4637a152019fe1af125d2f9368b95e",
"sig": "3046022100be9782c30744e411a82fa85b5138d601ce148bc19258aec64e7ec24478f38812022100caef63dcaf1a4b9a500d3bd0e3f164ec18f1b63d7a9460d9acab1066db0f016d"
},
{
"keyid": "1e1d65ce98b10addad4764febf7dda2d0436b3d3a3893579c0dddaea20e54849",
"sig": "30450220746ec3f8534ce55531d0d01ff64964ef440d1e7d2c4c142409b8e9769f1ada6f022100e3b929fcd93ea18feaa0825887a7210489879a66780c07a83f4bd46e2f09ab3b"
}
],
"signed": {
"_type": "root",
"consistent_snapshot": true,
"expires": "2025-02-19T08:04:32Z",
"keys": {
"22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06": {
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzBzVOmHCPojMVLSI364WiiV8NPrD\n6IgRxVliskz/v+y3JER5mcVGcONliDcWMC5J2lfHmjPNPhb4H7xm8LzfSA==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-keyowner": "@santiagotorres"
},
"61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222": {
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-keyowner": "@bobcallaway"
},
"6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3": {
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-keyowner": "@dlorenc"
},
"7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c": {
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-online-uri": "gcpkms://projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp"
},
"a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70": {
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-keyowner": "@joshuagl"
},
"e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2": {
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keytype": "ecdsa",
"keyval": {
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n"
},
"scheme": "ecdsa-sha2-nistp256",
"x-tuf-on-ci-keyowner": "@mnm678"
}
},
"roles": {
"root": {
"keyids": [
"6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3",
"e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2",
"22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06",
"61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222",
"a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70"
],
"threshold": 3
},
"snapshot": {
"keyids": [
"7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c"
],
"threshold": 1,
"x-tuf-on-ci-expiry-period": 3650,
"x-tuf-on-ci-signing-period": 365
},
"targets": {
"keyids": [
"6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3",
"e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2",
"22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06",
"61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222",
"a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70"
],
"threshold": 3
},
"timestamp": {
"keyids": [
"7247f0dbad85b147e1863bade761243cc785dcb7aa410e7105dd3d2b61a36d2c"
],
"threshold": 1,
"x-tuf-on-ci-expiry-period": 7,
"x-tuf-on-ci-signing-period": 4
}
},
"spec_version": "1.0",
"version": 10,
"x-tuf-on-ci-expiry-period": 182,
"x-tuf-on-ci-signing-period": 31
}
}
Loading

0 comments on commit 3379a9f

Please sign in to comment.