TUF conformance

Author: segiddins

.gitleaksignore

@@ -0,0 +1,4 @@
+data/_store/staging/root.json:generic-api-key:20
+data/_store/staging/root.json:generic-api-key:24
+data/_store/staging/root.json:generic-api-key:28
+data/_store/staging/root.json:generic-api-key:32

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.18.2
+    rev: v8.18.4
     hooks:
       - id: gitleaks
   - repo: https://github.com/jumanjihouse/pre-commit-hooks

Rakefile

@@ -52,6 +52,7 @@ task test: %w[sigstore_conformance]
 
 desc "Update the vendored data files"
 task :update_data do
+  require "sigstore"
   require "sigstore/trusted_root"
   {
     prod: Sigstore::TUF::DEFAULT_TUF_URL,
@@ -128,8 +129,8 @@ end
 
 GitRepo.define_task(:tuf_conformance).tap do |task|
   task.path = "test/tuf-conformance"
-  task.url = "https://github.com/jku/tuf-conformance.git"
-  task.commit = "b938daaea0e3a9b4cc5c5d743954be6a6ae32893"
+  task.url = "https://github.com/theupdateframework/tuf-conformance.git"
+  task.commit = "eefca0f5834b2bbc2f06ba319f06d52c0c18ee40"
 end
 
 namespace :tuf_conformance do

bin/tuf-conformance-entrypoint

@@ -28,6 +28,18 @@ OptionParser.new do |parser|
   parser.on("--target-base-url U") do |v|
     args << "--target-base-url" << v
   end
+  parser.on("--days-in-future N") do |v|
+    args << "--days-in-future" << v
+  end
+  parser.on("--max-root-rotations N") do |v|
+    args << "--max-root-rotations" << v
+  end
+  parser.on("--target-base-url U") do |v|
+    args << "--target-base-url" << v
+  end
+  parser.on("--target-name N") do |v|
+    args << v
+  end
 end.parse!
 
 require "simplecov"
@@ -39,4 +51,5 @@ load File.expand_path("../.simplecov", __dir__)
 command = ARGV.shift
 
 ARGV.unshift "sigstore_tuf_#{command.tr("-", "_")}", *args
+pp ARGV
 Gem::GemRunner.new.run ARGV.clone

data/_store/staging/root.json

@@ -2,105 +2,121 @@
  "signatures": [
   {
    "keyid": "762cb22caca65de5e9b7b6baecb84ca989d337280ce6914b6440aea95769ad93",
-   "sig": "3044022031a0b4c5fbdb12c26b06929adf6a9ee5fa68bc682fcb0cccc86f12018cfa1750022007a46dd475e80c13395ebadca48c5f3be4636c319a4479ef88f12502bf0a2255"
+   "sig": "3046022100832dd6a362dc4f4c67733195265c80ab15751b5d5af732ec283478984ed6fecc0221008b111861fd98165ad6b932942111674c160a01945853c0802ed5c27bea416790"
   },
   {
    "keyid": "d7d2d47a3f644fc3a685bac7b39c81ed9f9cee48ff861b44fbd86b91e34e7829",
-   "sig": "304502200fff879af7a141a69d4c23636618410fac34e069e404d9790295c02bdcac958f022100e1c78d23d55fecae50703189060394b5177c1a220ba4ea574ef6a0434483af7b"
+   "sig": "304602210091c4b0cc63517859a4678d420d0a857c9eec42041007253ef1aa10488c70850b022100a2a610ca6541d79a3dac2b8d45869945b9e9aa20cc3ae1e17fcf793c84de48bd"
   },
   {
    "keyid": "b78c9e4ff9048a1d9876a20f97fa1b3cb03223a0c520c7de730cfa9f5c7b77e5",
-   "sig": "3045022100af6ea5521e208394bd2c72708ebc87acf6e630f39e5da46bcb45838ad3115b6802203eedccf4cb3c514228dd4e3f89c8bffbd15d329a4f1dbaaaa8728efd74bea840"
+   "sig": "3045022100ce8bbdfb14f87c5183429d50c5a4173f2c49f218068a34e3c0e490acc5a913b702203bdee6b17ae378c36918efc01952cdd99eeb2172cedbb414fb110cfe8e87889f"
   },
   {
    "keyid": "afd6a6ebad62a0dd091db368c1806eeb172c893c80bece1098fed116e985ba35",
-   "sig": "304402205f3a27995a075c9c89475e51e5159931b7a77e434d149126aba571c1afe8926f022030b1cad5d70fa25daa395ff11b0af7b55d431adad7e3f61d84d7d010168a5901"
+   "sig": ""
+  },
+  {
+   "keyid": "aa61e09f6af7662ac686cf0c6364079f63d3e7a86836684eeced93eace3acd81",
+   "sig": "3046022100cedfe81229c20cc747420690c0660b8c6aefd0f2df0f232fe4265ee50416c174022100c064ebba2bdb8dec8b13d5519ae63ba9d4200b3790a8ef27adcfae1d487da772"
+  },
+  {
+   "keyid": "61f9609d2655b346fcebccd66b509d5828168d5e447110e261f0bcc8553624bc",
+   "sig": "30450221008a5319c88e134ab58e5a9bcb5e5722bd10504fa8a7fd24375aad875f71b341b502205b9888ba63fe7e9081801ccf8e2a4713b8725676923cd4deb29383fd78263ca5"
+  },
+  {
+   "keyid": "9471fbda95411d10109e467ad526082d15f14a38de54ea2ada9687ab39d8e237",
+   "sig": "3046022100b76041dabeca2f0dd88e33a0623a343b79e0c9e93dd6d7668d42798a9b7678fa022100ea1d416457e7837a6939930b6611ddcd023a5519ac6de83705bafe7879711c18"
+  },
+  {
+   "keyid": "0374a9e18a20a2103736cb4277e2fdd7f8453642c7d9eaf4ad8aee9cf2d47bb5",
+   "sig": ""
   }
  ],
  "signed": {
   "_type": "root",
   "consistent_snapshot": true,
-  "expires": "2024-08-21T13:23:32Z",
+  "expires": "2024-09-30T11:42:30Z",
   "keys": {
-   "5416a7a35ef827abc651e200ac11f3d23e9db74ef890b1fedb69fb2a152ebac5": {
+   "0374a9e18a20a2103736cb4277e2fdd7f8453642c7d9eaf4ad8aee9cf2d47bb5": {
     "keytype": "ecdsa",
     "keyval": {
-     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExxmEtmhF5U+i+v/6he4BcSLzCgMx\n/0qSrvDg6bUWwUrkSKS2vDpcJrhGy5fmmhRrGawjPp1ALpC3y1kqFTpXDg==\n-----END PUBLIC KEY-----\n"
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoxkvDOmtGEknB3M+ZkPts8joDM0X\nIH5JZwPlgC2CXs/eqOuNF8AcEWwGYRiDhV/IMlQw5bg8PLICQcgsbrDiKg==\n-----END PUBLIC KEY-----\n"
     },
     "scheme": "ecdsa-sha2-nistp256",
-    "x-tuf-on-ci-online-uri": "gcpkms:projects/projectsigstore-staging/locations/global/keyRings/tuf-keyring/cryptoKeys/tuf-key/cryptoKeyVersions/2"
+    "x-tuf-on-ci-keyowner": "@mnm678"
    },
-   "762cb22caca65de5e9b7b6baecb84ca989d337280ce6914b6440aea95769ad93": {
+   "61f9609d2655b346fcebccd66b509d5828168d5e447110e261f0bcc8553624bc": {
     "keytype": "ecdsa",
     "keyval": {
-     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEohqIdE+yTl4OxpX8ZxNUPrg3SL9H\nBDnhZuceKkxy2oMhUOxhWweZeG3bfM1T4ZLnJimC6CAYVU5+F5jZCoftRw==\n-----END PUBLIC KEY-----\n"
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE++Wv+DcLRk+mfkmlpCwl1GUi9EMh\npBUTz8K0fH7bE4mQuViGSyWA/eyMc0HvzZi6Xr0diHw0/lUPBvok214YQw==\n-----END PUBLIC KEY-----\n"
     },
     "scheme": "ecdsa-sha2-nistp256",
-    "x-tuf-on-ci-keyowner": "@jku"
+    "x-tuf-on-ci-keyowner": "@kommendorkapten"
    },
-   "afd6a6ebad62a0dd091db368c1806eeb172c893c80bece1098fed116e985ba35": {
+   "9471fbda95411d10109e467ad526082d15f14a38de54ea2ada9687ab39d8e237": {
     "keytype": "ecdsa",
     "keyval": {
-     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoxkvDOmtGEknB3M+ZkPts8joDM0X\nIH5JZwPlgC2CXs/eqOuNF8AcEWwGYRiDhV/IMlQw5bg8PLICQcgsbrDiKg==\n-----END PUBLIC KEY-----\n"
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFHDb85JH+JYR1LQmxiz4UMokVMnP\nxKoWpaEnFCKXH8W4Fc/DfIxMnkpjCuvWUBdJXkO0aDIxwsij8TOFh2R7dw==\n-----END PUBLIC KEY-----\n"
     },
     "scheme": "ecdsa-sha2-nistp256",
-    "x-tuf-on-ci-keyowner": "@mnm678"
+    "x-tuf-on-ci-keyowner": "@joshuagl"
    },
-   "b78c9e4ff9048a1d9876a20f97fa1b3cb03223a0c520c7de730cfa9f5c7b77e5": {
+   "aa61e09f6af7662ac686cf0c6364079f63d3e7a86836684eeced93eace3acd81": {
     "keytype": "ecdsa",
     "keyval": {
-     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFHDb85JH+JYR1LQmxiz4UMokVMnP\nxKoWpaEnFCKXH8W4Fc/DfIxMnkpjCuvWUBdJXkO0aDIxwsij8TOFh2R7dw==\n-----END PUBLIC KEY-----\n"
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEohqIdE+yTl4OxpX8ZxNUPrg3SL9H\nBDnhZuceKkxy2oMhUOxhWweZeG3bfM1T4ZLnJimC6CAYVU5+F5jZCoftRw==\n-----END PUBLIC KEY-----\n"
     },
     "scheme": "ecdsa-sha2-nistp256",
-    "x-tuf-on-ci-keyowner": "@joshuagl"
+    "x-tuf-on-ci-keyowner": "@jku"
    },
-   "d7d2d47a3f644fc3a685bac7b39c81ed9f9cee48ff861b44fbd86b91e34e7829": {
+   "c3479007e861445ce5dc109d9661ed77b35bbc0e3f161852c46114266fc2daa4": {
     "keytype": "ecdsa",
     "keyval": {
-     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE++Wv+DcLRk+mfkmlpCwl1GUi9EMh\npBUTz8K0fH7bE4mQuViGSyWA/eyMc0HvzZi6Xr0diHw0/lUPBvok214YQw==\n-----END PUBLIC KEY-----\n"
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExxmEtmhF5U+i+v/6he4BcSLzCgMx\n/0qSrvDg6bUWwUrkSKS2vDpcJrhGy5fmmhRrGawjPp1ALpC3y1kqFTpXDg==\n-----END PUBLIC KEY-----\n"
     },
     "scheme": "ecdsa-sha2-nistp256",
-    "x-tuf-on-ci-keyowner": "@kommendorkapten"
+    "x-tuf-on-ci-online-uri": "gcpkms:projects/projectsigstore-staging/locations/global/keyRings/tuf-keyring/cryptoKeys/tuf-key/cryptoKeyVersions/2"
    }
   },
   "roles": {
    "root": {
     "keyids": [
-     "762cb22caca65de5e9b7b6baecb84ca989d337280ce6914b6440aea95769ad93",
-     "d7d2d47a3f644fc3a685bac7b39c81ed9f9cee48ff861b44fbd86b91e34e7829",
-     "b78c9e4ff9048a1d9876a20f97fa1b3cb03223a0c520c7de730cfa9f5c7b77e5",
-     "afd6a6ebad62a0dd091db368c1806eeb172c893c80bece1098fed116e985ba35"
+     "aa61e09f6af7662ac686cf0c6364079f63d3e7a86836684eeced93eace3acd81",
+     "61f9609d2655b346fcebccd66b509d5828168d5e447110e261f0bcc8553624bc",
+     "9471fbda95411d10109e467ad526082d15f14a38de54ea2ada9687ab39d8e237",
+     "0374a9e18a20a2103736cb4277e2fdd7f8453642c7d9eaf4ad8aee9cf2d47bb5"
     ],
     "threshold": 2
    },
    "snapshot": {
     "keyids": [
-     "5416a7a35ef827abc651e200ac11f3d23e9db74ef890b1fedb69fb2a152ebac5"
+     "c3479007e861445ce5dc109d9661ed77b35bbc0e3f161852c46114266fc2daa4"
     ],
     "threshold": 1,
     "x-tuf-on-ci-expiry-period": 3650,
     "x-tuf-on-ci-signing-period": 365
    },
    "targets": {
     "keyids": [
-     "762cb22caca65de5e9b7b6baecb84ca989d337280ce6914b6440aea95769ad93",
-     "d7d2d47a3f644fc3a685bac7b39c81ed9f9cee48ff861b44fbd86b91e34e7829",
-     "b78c9e4ff9048a1d9876a20f97fa1b3cb03223a0c520c7de730cfa9f5c7b77e5",
-     "afd6a6ebad62a0dd091db368c1806eeb172c893c80bece1098fed116e985ba35"
+     "aa61e09f6af7662ac686cf0c6364079f63d3e7a86836684eeced93eace3acd81",
+     "61f9609d2655b346fcebccd66b509d5828168d5e447110e261f0bcc8553624bc",
+     "9471fbda95411d10109e467ad526082d15f14a38de54ea2ada9687ab39d8e237",
+     "0374a9e18a20a2103736cb4277e2fdd7f8453642c7d9eaf4ad8aee9cf2d47bb5"
     ],
     "threshold": 1
    },
    "timestamp": {
     "keyids": [
-     "5416a7a35ef827abc651e200ac11f3d23e9db74ef890b1fedb69fb2a152ebac5"
+     "c3479007e861445ce5dc109d9661ed77b35bbc0e3f161852c46114266fc2daa4"
     ],
     "threshold": 1,
     "x-tuf-on-ci-expiry-period": 7,
     "x-tuf-on-ci-signing-period": 4
    }
   },
   "spec_version": "1.0",
-  "version": 8,
+  "version": 9,
   "x-tuf-on-ci-expiry-period": 91,
   "x-tuf-on-ci-signing-period": 35
  }

lib/rubygems/commands/sigstore_tuf_download_target_command.rb

@@ -15,6 +15,7 @@
 # limitations under the License.
 
 require "rubygems/command"
+require_relative "../../sigstore"
 require_relative "../../sigstore/tuf"
 
 module Gem
@@ -49,8 +50,10 @@ def execute
 
         kwargs = {}
         kwargs[:target_base_url] = @target_base_url if @target_base_url
-        trust_updater = Sigstore::TUF::TrustUpdater.new(@metadata_url, false, metadata_dir: @metadata_dir,
-                                                                              targets_dir: @targets_dir, **kwargs)
+        trust_updater = Sigstore::TUF::TrustUpdater.new(
+          @metadata_url, false,
+          metadata_dir: @metadata_dir, targets_dir: @targets_dir, target_base_url: @target_base_url, **kwargs
+        )
 
         options[:args].each do |target|
           target_info = trust_updater.updater.get_targetinfo(target)

lib/rubygems/commands/sigstore_tuf_init_command.rb

@@ -33,7 +33,6 @@ def initialize
       end
 
       def execute
-        raise Gem::CommandLineError, "--metadata-url is required" unless @metadata_url
         raise Gem::CommandLineError, "--metadata-dir is required" unless @metadata_dir
 
         unless options[:args].size == 1 && File.exist?(options[:args].first)

lib/rubygems/commands/sigstore_tuf_refresh_command.rb

@@ -31,14 +31,38 @@ def initialize
         add_option("--metadata-dir dir", String) do |dir|
           @metadata_dir = dir
         end
+
+        add_option("--days-in-future days", Integer) do |days|
+          @days_in_future = days
+        end
+
+        add_option("--max-root-rotations rotations", Integer) do |rotations|
+          @max_root_rotations = rotations
+        end
       end
 
       def execute
+        time_provider =
+          if @days_in_future&.positive?
+            -> { Time.now + (@days_in_future * 86_400) }
+          else
+            Time.method(:now)
+          end
         raise Gem::CommandLineError, "metadata-url is required" unless @metadata_url
         raise Gem::CommandLineError, "metadata-dir is required" unless @metadata_dir
         raise Gem::CommandLineError, "no args accepted" unless options[:args].empty?
 
-        Sigstore::TUF::TrustUpdater.new(@metadata_url, false, metadata_dir: @metadata_dir)
+        Sigstore::TUF::TrustUpdater.new(
+          @metadata_url, false,
+          metadata_dir: @metadata_dir,
+          config: Sigstore::TUF::UpdaterConfig.new(
+            max_root_rotations: @max_root_rotations
+          ),
+          time_provider: time_provider
+        )
+      rescue Sigstore::Error => e
+        alert_error "Error: #{e.full_message}"
+        terminate_interaction 1
       end
     end
   end

lib/sigstore/tuf.rb

@@ -29,7 +29,8 @@ class TrustUpdater
 
       attr_reader :updater
 
-      def initialize(metadata_url, offline, metadata_dir: nil, targets_dir: nil, target_base_url: nil)
+      def initialize(metadata_url, offline, metadata_dir: nil, targets_dir: nil, target_base_url: nil,
+                     config: UpdaterConfig.new, time_provider: Time.method(:now))
         @repo_url = metadata_url
 
         default_metadata_dir, default_targets_dir = get_dirs(metadata_url) unless metadata_dir && targets_dir
@@ -80,14 +81,12 @@ def initialize(metadata_url, offline, metadata_dir: nil, targets_dir: nil, targe
           target_base_url: (target_base_url && URI.parse(target_base_url)) ||
                            URI.join("#{@repo_url.to_s.chomp("/")}/", "targets/"),
           target_dir: @targets_dir,
-          fetcher: Net::HTTP.new(repo_url.host, repo_url.port).tap { _1.use_ssl = true if repo_url.scheme != "http" }
+          fetcher: Net::HTTP.new(repo_url.host, repo_url.port).tap { _1.use_ssl = true if repo_url.scheme != "http" },
+          config: config,
+          time_provider: time_provider
         )
 
-        begin
-          @updater.refresh
-        rescue StandardError => e
-          raise "Failed to refresh TUF metadata: #{e.class} #{e.full_message}"
-        end
+        @updater.refresh
       end
 
       def get_dirs(url)

lib/sigstore/tuf/error.rb

@@ -23,5 +23,8 @@ class ExpiredMetadata < Error; end
     class EqualVersionNumber < Error; end
     class BadVersionNumber < Error; end
     class BadUpdateOrder < Error; end
+    class TooFewSignatures < Error; end
+    class MetaVersionLower < Error; end
+    class MetaVersionHigher < Error; end
   end
 end