Update TUF client to support options and add LiveTrustedRoot

Signed-off-by: Cody Soyland <codysoyland@github.com>
sigstore · Dec 12, 2023 · 0e74150 · 0e74150
1 parent 6a8bf18
commit 0e74150
Show file tree

Hide file tree

Showing 11 changed files with 532 additions and 124 deletions.
diff --git a/cmd/conformance/main.go b/cmd/conformance/main.go
@@ -57,10 +57,19 @@ func getTrustedRoot() root.TrustedMaterial {
  if !ok {
  log.Fatal("unable to get path")
  }
-
- tufDir := path.Join(path.Dir(filename), "tufdata")
-
- trustedRootJSON, err = tuf.GetTrustedrootJSON("tuf-repo-cdn.sigstore.dev", tufDir)
+ opts, err := tuf.DefaultOptions()
+ if err != nil {
+ log.Fatal(err)
+ }
+ opts.CachePath = path.Join(path.Dir(filename), "tufdata")
+ client, err := tuf.New(opts)
+ if err != nil {
+ log.Fatal(err)
+ }
+ trustedRootJSON, err = client.GetTarget("trusted_root.json")
+ if err != nil {
+ log.Fatal(err)
+ }
  }
 
  if err != nil {

diff --git a/cmd/sigstore-go/main.go b/cmd/sigstore-go/main.go
@@ -47,7 +47,6 @@ var onlineTlog *bool
 var trustedPublicKey *string
 var trustedrootJSONpath *string
 var tufRootURL *string
-var tufDirectory *string
 
 func init() {
  artifact = flag.String("artifact", "", "Path to artifact to verify")
@@ -63,7 +62,6 @@ func init() {
  trustedPublicKey = flag.String("publicKey", "", "Path to trusted public key")
  trustedrootJSONpath = flag.String("trustedrootJSONpath", "examples/trusted-root-public-good.json", "Path to trustedroot JSON file")
  tufRootURL = flag.String("tufRootURL", "", "URL of TUF root containing trusted root JSON file")
- tufDirectory = flag.String("tufDirectory", "tufdata", "Directory to store TUF metadata")
  flag.Parse()
  if flag.NArg() == 0 {
  usage()
@@ -122,20 +120,32 @@ func run() error {
  }
 
  var trustedMaterial = make(root.TrustedMaterialCollection, 0)
- var trustedrootJSON []byte
+ var trustedRootJSON []byte
 
  if *tufRootURL != "" {
- trustedrootJSON, err = tuf.GetTrustedrootJSON(*tufRootURL, *tufDirectory)
+ opts, err := tuf.DefaultOptions()
+ if err != nil {
+ return err
+ }
+ opts.RepositoryBaseURL = *tufRootURL
+ client, err := tuf.New(opts)
+ if err != nil {
+ return err
+ }
+ trustedRootJSON, err = client.GetTarget("trusted_root.json")
+ if err != nil {
+ return err
+ }
  } else if *trustedrootJSONpath != "" {
- trustedrootJSON, err = os.ReadFile(*trustedrootJSONpath)
+ trustedRootJSON, err = os.ReadFile(*trustedrootJSONpath)
  }
  if err != nil {
  return err
  }
 
- if len(trustedrootJSON) > 0 {
+ if len(trustedRootJSON) > 0 {
  var trustedRoot *root.TrustedRoot
- trustedRoot, err = root.NewTrustedRootFromJSON(trustedrootJSON)
+ trustedRoot, err = root.NewTrustedRootFromJSON(trustedRootJSON)
  if err != nil {
  return err
  }

diff --git a/examples/oci-image-verification/go.mod b/examples/oci-image-verification/go.mod
@@ -1,6 +1,8 @@
 module github.com/sigstore/sigstore-go/examples/oci-image-verification
 
-go 1.21
+go 1.21.5
+
+replace github.com/sigstore/sigstore-go => ../../
 
 require (
  github.com/google/go-containerregistry v0.17.0
@@ -22,7 +24,7 @@ require (
  github.com/docker/docker-credential-helpers v0.7.0 // indirect
  github.com/fsnotify/fsnotify v1.6.0 // indirect
  github.com/go-chi/chi v4.1.2+incompatible // indirect
- github.com/go-logr/logr v1.2.4 // indirect
+ github.com/go-logr/logr v1.3.0 // indirect
  github.com/go-logr/stdr v1.2.2 // indirect
  github.com/go-openapi/analysis v0.21.4 // indirect
  github.com/go-openapi/errors v0.20.4 // indirect
@@ -31,7 +33,7 @@ require (
  github.com/go-openapi/loads v0.21.2 // indirect
  github.com/go-openapi/runtime v0.26.0 // indirect
  github.com/go-openapi/spec v0.20.11 // indirect
- github.com/go-openapi/strfmt v0.21.8 // indirect
+ github.com/go-openapi/strfmt v0.21.9 // indirect
  github.com/go-openapi/swag v0.22.4 // indirect
  github.com/go-openapi/validate v0.22.3 // indirect
  github.com/golang/protobuf v1.5.3 // indirect
@@ -55,6 +57,7 @@ require (
  github.com/opentracing/opentracing-go v1.2.0 // indirect
  github.com/pelletier/go-toml/v2 v2.1.0 // indirect
  github.com/pkg/errors v0.9.1 // indirect
+ github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c // indirect
  github.com/sagikazarmark/locafero v0.3.0 // indirect
  github.com/sagikazarmark/slog-shim v0.1.0 // indirect
  github.com/sassoftware/relic v7.2.1+incompatible // indirect
@@ -74,7 +77,7 @@ require (
  github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
  github.com/transparency-dev/merkle v0.0.2 // indirect
  github.com/vbatts/tar-split v0.11.3 // indirect
- go.mongodb.org/mongo-driver v1.12.0 // indirect
+ go.mongodb.org/mongo-driver v1.13.0 // indirect
  go.opentelemetry.io/otel v1.19.0 // indirect
  go.opentelemetry.io/otel/metric v1.19.0 // indirect
  go.opentelemetry.io/otel/trace v1.19.0 // indirect

diff --git a/examples/oci-image-verification/go.sum b/examples/oci-image-verification/go.sum
@@ -168,8 +168,8 @@ github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkc
 github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
-github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
+github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-openapi/analysis v0.21.4 h1:ZDFLvSNxpDaomuCueM0BlSXxpANBlFYiBvr+GXrvIHc=
@@ -193,8 +193,8 @@ github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6
 github.com/go-openapi/spec v0.20.11 h1:J/TzFDLTt4Rcl/l1PmyErvkqlJDncGvPTMnCI39I4gY=
 github.com/go-openapi/spec v0.20.11/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
 github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg=
-github.com/go-openapi/strfmt v0.21.8 h1:VYBUoKYRLAlgKDrIxR/I0lKrztDQ0tuTDrbhLVP8Erg=
-github.com/go-openapi/strfmt v0.21.8/go.mod h1:adeGTkxE44sPyLk0JV235VQAO/ZXUr8KAzYjclFs3ew=
+github.com/go-openapi/strfmt v0.21.9 h1:LnEGOO9qyEC1v22Bzr323M98G13paIUGPU7yeJtG9Xs=
+github.com/go-openapi/strfmt v0.21.9/go.mod h1:0k3v301mglEaZRJdDDGSlN6Npq4VMVU69DE0LUyf7uA=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
@@ -406,6 +406,8 @@ github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lne
 github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
+github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c h1:Y4Mx6GbsUbzvV41SuQfE671gKAXdILTSGdUe4+8y7DE=
+github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c/go.mod h1:3l8VADBl9myZ4VNSQtmM46iEA+jolS2ZFviLocdyWPw=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
@@ -432,8 +434,6 @@ github.com/sigstore/rekor v1.3.4 h1:RGIia1iOZU7fOiiP2UY/WFYhhp50S5aUm7YrM8aiA6E=
 github.com/sigstore/rekor v1.3.4/go.mod h1:1GubPVO2yO+K0m0wt/3SHFqnilr/hWbsjSOe7Vzxrlg=
 github.com/sigstore/sigstore v1.7.6 h1:zB0woXx+3Bp7dk7AjklHF1VhXBdCs84VXkZbp0IHLv8=
 github.com/sigstore/sigstore v1.7.6/go.mod h1:FJE+NpEZIs4QKqZl4B2RtaVLVDcDtocAwTiNlexeBkY=
-github.com/sigstore/sigstore-go v0.0.0-20231206154419-7f57c1495ca4 h1:2KpuUMK4lFw8GIUPmjbETXjVroV8NBgJima7RRsk55E=
-github.com/sigstore/sigstore-go v0.0.0-20231206154419-7f57c1495ca4/go.mod h1:N9kAbQfXk6oK1od+ZAh0zDd2UjBsq2iqpEK7UvZrU1I=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.5 h1:ilufPp36exfpivctI3ElU4ZTckP3eVu6RxYebBb6u+M=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.5/go.mod h1:121n8nBnuXbcI6K0hIBo/0EMYiyXqGVzbIYd0rV0ZWw=
 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.7.5 h1:gLdNJJo+xMf7+IeFRlyA/Pjavndo9rivmf5ioYeuPmM=
@@ -503,8 +503,8 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t
 github.com/zalando/go-keyring v0.2.2 h1:f0xmpYiSrHtSNAVgwip93Cg8tuF45HJM6rHq/A5RI/4=
 github.com/zalando/go-keyring v0.2.2/go.mod h1:sI3evg9Wvpw3+n4SqplGSJUMwtDeROfD4nsFz4z9PG0=
 go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAVEYRhCXrA8=
-go.mongodb.org/mongo-driver v1.12.0 h1:aPx33jmn/rQuJXPQLZQ8NtfPQG8CaqgLThFtqRb0PiE=
-go.mongodb.org/mongo-driver v1.12.0/go.mod h1:AZkxhPnFJUoH7kZlFkVKucV20K387miPfm7oimrSmK0=
+go.mongodb.org/mongo-driver v1.13.0 h1:67DgFFjYOCMWdtTEmKFpV3ffWlFnh+CYZ8ZS/tXWUfY=
+go.mongodb.org/mongo-driver v1.13.0/go.mod h1:/rGBTebI3XYboVmgz+Wv3Bcbl3aD0QF9zl6kDDw18rQ=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=

diff --git a/examples/oci-image-verification/main.go b/examples/oci-image-verification/main.go
@@ -142,20 +142,32 @@ func run() error {
  }
 
  var trustedMaterial = make(root.TrustedMaterialCollection, 0)
- var trustedrootJSON []byte
+ var trustedRootJSON []byte
 
  if *tufRootURL != "" {
- trustedrootJSON, err = tuf.GetTrustedrootJSON(*tufRootURL, *tufDirectory)
+ opts, err := tuf.DefaultOptions()
+ if err != nil {
+ return err
+ }
+ opts.RepositoryBaseURL = *tufRootURL
+ client, err := tuf.New(opts)
+ if err != nil {
+ return err
+ }
+ trustedRootJSON, err = client.GetTarget("trusted_root.json")
+ if err != nil {
+ return err
+ }
  } else if *trustedrootJSONpath != "" {
- trustedrootJSON, err = os.ReadFile(*trustedrootJSONpath)
+ trustedRootJSON, err = os.ReadFile(*trustedrootJSONpath)
  }
  if err != nil {
  return err
  }
 
- if len(trustedrootJSON) > 0 {
+ if len(trustedRootJSON) > 0 {
  var trustedRoot *root.TrustedRoot
- trustedRoot, err = root.NewTrustedRootFromJSON(trustedrootJSON)
+ trustedRoot, err = root.NewTrustedRootFromJSON(trustedRootJSON)
  if err != nil {
  return err
  }

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/sigstore/sigstore-go
 
-go 1.21
+go 1.21.5
 
 require (
  github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7
@@ -10,13 +10,13 @@ require (
  github.com/go-openapi/swag v0.22.4
  github.com/google/certificate-transparency-go v1.1.7
  github.com/in-toto/in-toto-golang v0.9.0
+ github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c
  github.com/secure-systems-lab/go-securesystemslib v0.7.0
  github.com/sigstore/protobuf-specs v0.2.1
  github.com/sigstore/rekor v1.3.4
  github.com/sigstore/sigstore v1.7.6
  github.com/sigstore/timestamp-authority v1.2.0
  github.com/stretchr/testify v1.8.4
- github.com/theupdateframework/go-tuf v0.7.0
  golang.org/x/mod v0.14.0
  google.golang.org/protobuf v1.31.0
 )
@@ -28,7 +28,7 @@ require (
  github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
  github.com/fsnotify/fsnotify v1.6.0 // indirect
  github.com/go-chi/chi v4.1.2+incompatible // indirect
- github.com/go-logr/logr v1.2.4 // indirect
+ github.com/go-logr/logr v1.3.0 // indirect
  github.com/go-logr/stdr v1.2.2 // indirect
  github.com/go-openapi/analysis v0.21.4 // indirect
  github.com/go-openapi/errors v0.20.4 // indirect
@@ -66,6 +66,7 @@ require (
  github.com/spf13/pflag v1.0.5 // indirect
  github.com/spf13/viper v1.17.0 // indirect
  github.com/subosito/gotenv v1.6.0 // indirect
+ github.com/theupdateframework/go-tuf v0.7.0 // indirect
  github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
  github.com/transparency-dev/merkle v0.0.2 // indirect
  go.mongodb.org/mongo-driver v1.13.0 // indirect

diff --git a/go.sum b/go.sum
@@ -156,8 +156,8 @@ github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkc
 github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
-github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
+github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-openapi/analysis v0.21.4 h1:ZDFLvSNxpDaomuCueM0BlSXxpANBlFYiBvr+GXrvIHc=
@@ -392,6 +392,8 @@ github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lne
 github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
+github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c h1:Y4Mx6GbsUbzvV41SuQfE671gKAXdILTSGdUe4+8y7DE=
+github.com/rdimitrov/go-tuf-metadata v0.0.0-20231211110834-6de72dba550c/go.mod h1:3l8VADBl9myZ4VNSQtmM46iEA+jolS2ZFviLocdyWPw=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
@@ -428,6 +430,8 @@ github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.7.5 h1:yWNBuL52Je3u
 github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.7.5/go.mod h1:EI9vDWVGG8fQU9aFMY7Bd204xJiqmXcDMSkFifCf16Q=
 github.com/sigstore/timestamp-authority v1.2.0 h1:Ffk10QsHxu6aLwySQ7WuaoWkD63QkmcKtozlEFot/VI=
 github.com/sigstore/timestamp-authority v1.2.0/go.mod h1:ojKaftH78Ovfow9DzuNl5WgTCEYSa4m5622UkKDHRXc=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/spf13/afero v1.10.0 h1:EaGW2JJh15aKOejeuJ+wpFSHnbd7GE6Wvp3TsNhb6LY=

diff --git a/pkg/root/trusted_root.go b/pkg/root/trusted_root.go
@@ -20,11 +20,14 @@ import (
  "crypto/x509"
  "encoding/hex"
  "fmt"
+ "log"
  "os"
+ "sync"
  "time"
 
  protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
  prototrustroot "github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1"
+ "github.com/sigstore/sigstore-go/pkg/tuf"
  "google.golang.org/protobuf/encoding/protojson"
 )
 
@@ -256,3 +259,101 @@ func NewTrustedRootProtobuf(rootJSON []byte) (*prototrustroot.TrustedRoot, error
  }
  return pbTrustedRoot, nil
 }
+
+// FetchTrustedRoot fetches the Sigstore trusted root from TUF and returns it.
+func FetchTrustedRoot() (*TrustedRoot, error) {
+ opts, err := tuf.DefaultOptions()
+ if err != nil {
+ return nil, err
+ }
+ client, err := tuf.New(opts)
+ if err != nil {
+ return nil, err
+ }
+ return GetTrustedRoot(client)
+}
+
+// GetTrustedRoot returns the trusted root
+func GetTrustedRoot(c *tuf.Client) (*TrustedRoot, error) {
+ jsonBytes, err := c.GetTarget("trusted_root.json")
+ if err != nil {
+ return nil, err
+ }
+ return NewTrustedRootFromJSON(jsonBytes)
+}
+
+// LiveTrustedRoot is a wrapper around TrustedRoot that periodically
+// refreshes the trusted root from TUF. This is needed for long-running
+// processes to ensure that the trusted root does not expire.
+type LiveTrustedRoot struct {
+ *TrustedRoot
+ mu sync.RWMutex
+}
+
+// NewLiveTrustedRoot returns a LiveTrustedRoot that will periodically
+// refresh the trusted root from TUF.
+func NewLiveTrustedRoot(opts *tuf.Options) (*LiveTrustedRoot, error) {
+ client, err := tuf.New(opts)
+ if err != nil {
+ return nil, err
+ }
+ tr, err := GetTrustedRoot(client)
+ if err != nil {
+ return nil, err
+ }
+ ltr := &LiveTrustedRoot{
+ TrustedRoot: tr,
+ mu: sync.RWMutex{},
+ }
+ ticker := time.NewTicker(time.Hour * 24)
+ go func() {
+ for {
+ select {
+ case <-ticker.C:
+ client, err = tuf.New(opts)
+ if err != nil {
+ log.Printf("error creating TUF client: %v", err)
+ }
+ newTr, err := GetTrustedRoot(client)
+ if err != nil {
+ log.Printf("error fetching trusted root: %v", err)
+ continue
+ }
+ ltr.mu.Lock()
+ ltr.TrustedRoot = newTr
+ ltr.mu.Unlock()
+ }
+ }
+ }()
+ return ltr, nil
+}
+
+func (l *LiveTrustedRoot) TSACertificateAuthorities() []CertificateAuthority {
+ l.mu.RLock()
+ defer l.mu.RUnlock()
+ return l.TrustedRoot.TSACertificateAuthorities()
+}
+
+func (l *LiveTrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority {
+ l.mu.RLock()
+ defer l.mu.RUnlock()
+ return l.TrustedRoot.FulcioCertificateAuthorities()
+}
+
+func (l *LiveTrustedRoot) TlogAuthorities() map[string]*TlogAuthority {
+ l.mu.RLock()
+ defer l.mu.RUnlock()
+ return l.TrustedRoot.TlogAuthorities()
+}
+
+func (l *LiveTrustedRoot) CTlogAuthorities() map[string]*TlogAuthority {
+ l.mu.RLock()
+ defer l.mu.RUnlock()
+ return l.TrustedRoot.CTlogAuthorities()
+}
+
+func (l *LiveTrustedRoot) PublicKeyVerifier(keyID string) (TimeConstrainedVerifier, error) {
+ l.mu.RLock()
+ defer l.mu.RUnlock()
+ return l.TrustedRoot.PublicKeyVerifier(keyID)
+}