Generate trusted_root.json in the TUF server (#1235)

* Generate trusted_root.json in the TUF server

Signed-off-by: Slavek Kabrda <[email protected]>

* Address review

Signed-off-by: Slavek Kabrda <[email protected]>

* Update README with more information about providing cert chains

Signed-off-by: Slavek Kabrda <[email protected]>

* Update pkg/repo/repo.go

Co-authored-by: Hayden B <[email protected]>
Signed-off-by: Slavek Kabrda <[email protected]>

* Address review

Signed-off-by: Slavek Kabrda <[email protected]>

* Remove outdated comment

Signed-off-by: Slavek Kabrda <[email protected]>

---------

Signed-off-by: Slavek Kabrda <[email protected]>
Co-authored-by: Hayden B <[email protected]>

README.md

@@ -363,14 +363,14 @@ in all the namespaces, which is not great, so we'll work around that by
 having another step where we manually copy the secrets to `tuf-system` namespace
 so that we can create a proper tuf root that `cosign` can use.
 
-There are two steps in the process, first, copy ctlog, fulcio, and rekor
+There are two steps in the process, first, copy ctlog, fulcio, rekor and TSA
 public secrets into the `tuf-system` namespace, followed by a construction
 of a tuf root from those pieces of information. In addition to that, we'll need
 to have a tuf web server that serves the root information so that tools like
 `cosign` can validate the roots of trust.
 
 For that, we need to copy the following secrets (namespace/secret) with the
-keys in the secrets into the`tuf-system` namespace so that the job there has
+keys in the secrets into the `tuf-system` namespace so that the job there has
 enough information to construct the tuf root:
 
 * fulcio-system/fulcio-pub-key
@@ -383,6 +383,20 @@ enough information to construct the tuf root:
 * tsa-system/tsa-cert-chain
   - cert-chain - Holds the certificate chain for TimeStamp Authority
 
+Certificate chains for fulcio and TSA can either be provided in a single file
+or in individual files. When providing as individual files, the following
+file naming scheme has to be followed:
+
+* `<target>_root.crt.pem`, e.g. `tsa_root.crt.pem`
+* `<target>_intermediate_0.crt.pem`, e.g. `tsa_intermediate_0.crt.pem`
+* `<target>_intermediate_1.crt.pem`, e.g. `tsa_intermediate_1.crt.pem`
+* (more intermediates, but at most 10 intermediate certificates altogether)
+* `<target>_leaf.crt.pem`, e.g. `tsa_leaf.crt.pem`
+
+Intermediate certificates, if provided, must be ordered correctly:
+`intermediate_0` is signed by `root`, `intermediate_1` is signed by
+`intermediate_0` etc.
+
 Once we have all that information in one place, we can construct a tuf root out
 of it that can be used by tools like `cosign` and `policy-controller`.
 

cmd/tuf/server/main.go

@@ -50,8 +50,10 @@ var (
 	// repository - Compressed repo, which has been tar/gzipped.
 	secretName = flag.String("rootsecret", "tuf-root", "Name of the secret to create for the initial root file")
 	// Name of the "secret" where we create one entry per key JSON definition as generated by TUF, e.g. "root.json", "timestamp.json", ...
-	keysSecretName = flag.String("keyssecret", "", "Name of the secret to create for generated keys (keys won't be stored unless this is provided)")
-	noK8s          = flag.Bool("no-k8s", false, "Run in a non-k8s environment")
+	keysSecretName  = flag.String("keyssecret", "", "Name of the secret to create for generated keys (keys won't be stored unless this is provided)")
+	noK8s           = flag.Bool("no-k8s", false, "Run in a non-k8s environment")
+	metadataTargets = flag.Bool("metadata-targets", true, "Serve individual targets with custom Sigstore metadata. This will be deprecated and removed in the future.")
+	trustedRoot     = flag.Bool("trusted-root", true, "Generate and serve trusted_root.json")
 )
 
 func getNamespaceAndClientset(noK8s bool) (string, *kubernetes.Clientset, error) {
@@ -126,7 +128,7 @@ func initTUFRepo(ctx context.Context, certsDir, targetDir, repoSecretName, keysS
 	}
 
 	// Create a new TUF root with the listed artifacts.
-	local, dir, err := repo.CreateRepo(ctx, files)
+	local, dir, err := repo.CreateRepoWithOptions(ctx, files, repo.CreateRepoOptions{AddMetadataTargets: *metadataTargets, AddTrustedRoot: *trustedRoot})
 	if err != nil {
 		return fmt.Errorf("failed to create repo: %v", err)
 	}
@@ -196,6 +198,10 @@ func main() {
 
 	ctx := signals.NewContext()
 
+	if *metadataTargets {
+		logging.FromContext(ctx).Warnf("Serving individual TUF targets with custom Sigstore metadata will be deprecated and removed in the future.")
+	}
+
 	serve := false
 	init := false
 	overwrite := true

go.mod

@@ -33,7 +33,9 @@ require (
 	github.com/sigstore/fulcio v1.6.3
 	github.com/sigstore/rekor v1.3.6
 	github.com/sigstore/sigstore v1.8.8
+	github.com/sigstore/sigstore-go v0.6.1-0.20240821212051-2198ac32dd94
 	github.com/sigstore/timestamp-authority v1.2.2
+	github.com/stretchr/testify v1.9.0
 	github.com/theupdateframework/go-tuf v0.7.0
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
 	go.uber.org/zap v1.27.0
@@ -224,6 +226,7 @@ require (
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
@@ -252,6 +255,7 @@ require (
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.0 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect

go.sum

@@ -1198,6 +1198,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
+github.com/in-toto/attestation v1.1.0 h1:oRWzfmZPDSctChD0VaQV7MJrywKOzyNrtpENQFq//2Q=
+github.com/in-toto/attestation v1.1.0/go.mod h1:DB59ytd3z7cIHgXxwpSX2SABrU6WJUKg/grpdgHVgVs=
 github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU=
 github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -1471,8 +1473,8 @@ github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=
 github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc=
 github.com/sigstore/sigstore v1.8.8 h1:B6ZQPBKK7Z7tO3bjLNnlCMG+H66tO4E/+qAphX8T/hg=
 github.com/sigstore/sigstore v1.8.8/go.mod h1:GW0GgJSCTBJY3fUOuGDHeFWcD++c4G8Y9K015pwcpDI=
-github.com/sigstore/sigstore-go v0.5.1 h1:5IhKvtjlQBeLnjKkzMELNG4tIBf+xXQkDzhLV77+/8Y=
-github.com/sigstore/sigstore-go v0.5.1/go.mod h1:TuOfV7THHqiDaUHuJ5+QN23RP/YoKmsbwJpY+aaYPN0=
+github.com/sigstore/sigstore-go v0.6.1-0.20240821212051-2198ac32dd94 h1:MoT4su5n2fVgwoXWPpXeHCvtY48BkxcONsySq1rHMiw=
+github.com/sigstore/sigstore-go v0.6.1-0.20240821212051-2198ac32dd94/go.mod h1:+RyopI/FJDE6z5WVs2sQ2nkc+zsxxByDmbp8a4HoxbA=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.8 h1:2zHmUvaYCwV6LVeTo+OAkTm8ykOGzA9uFlAjwDPAUWM=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.8/go.mod h1:OEhheBplZinUsm7W9BupafztVZV3ldkAxEHbpAeC0Pk=
 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.8 h1:RKk4Z+qMaLORUdT7zntwMqKiYAej1VQlCswg0S7xNSY=