Feature: ability to sign a wave by more than 1 key

Signed-off-by: Volodymyr Khoroz <[email protected]>
foundriesio · Aug 2, 2023 · e024fe5 · e024fe5
1 parent 353d5b9
commit e024fe5
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 0 deletions.
diff --git a/client/foundries.go b/client/foundries.go
@@ -1716,6 +1716,19 @@ func (a *Api) FactoryGetWave(factory string, wave string, showTargets bool) (*Wa
 	return &resp, err
 }
 
+func (a *Api) FactorySignWave(factory string, wave string, signatures []tuf.Signature) error {
+	url := a.serverUrl + "/ota/factories/" + factory + "/waves/" + wave + "/sign/"
+	logrus.Debugf("Signing factory wave %s", url)
+
+	data, err := json.Marshal(map[string][]tuf.Signature{"signatures": signatures})
+	if err != nil {
+		return err
+	}
+
+	_, err = a.Post(url, data)
+	return err
+}
+
 func (a *Api) FactoryRolloutWave(
 	factory string, wave string, options WaveRolloutOptions,
 ) (*WaveRolloutResult, error) {

diff --git a/subcommands/waves/sign.go b/subcommands/waves/sign.go
@@ -0,0 +1,43 @@
+package waves
+
+import (
+	"github.com/docker/go/canonical/json"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+
+	"github.com/foundriesio/fioctl/subcommands"
+	tuf "github.com/theupdateframework/notary/tuf/data"
+)
+
+func init() {
+	signCmd := &cobra.Command{
+		Use:   "sign <wave>",
+		Short: "Sign an existing wave targets with additional key",
+		Long: `Sign an existing wave targets with additional key.
+
+This command is only needed when your TUF root requires more than 1 signature for production targets.
+In this case, you cannot roll out or complete a wave before it has enough signatures.`,
+		Run:  doSignWave,
+		Args: cobra.ExactArgs(1),
+	}
+	cmd.AddCommand(signCmd)
+	signCmd.Flags().StringP("keys", "k", "", "Path to <offline-creds.tgz> used to sign wave targets.")
+	_ = signCmd.MarkFlagRequired("keys")
+}
+
+func doSignWave(cmd *cobra.Command, args []string) {
+	factory := viper.GetString("factory")
+	name := args[0]
+	offlineKeys := readOfflineKeys(cmd)
+
+	wave, err := api.FactoryGetWave(factory, name, true)
+	subcommands.DieNotNil(err)
+
+	var targets tuf.Signed
+	subcommands.DieNotNil(json.Unmarshal(*wave.Targets, &targets))
+	meta, err := json.MarshalCanonical(targets.Signed)
+	subcommands.DieNotNil(err)
+
+	signatures := signTargets(meta, factory, offlineKeys)
+	subcommands.DieNotNil(api.FactorySignWave(factory, name, signatures))
+}