From f5b48cba319638457036132289711a0631ce0c80 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Mar 2024 17:51:04 +0200 Subject: [PATCH 01/12] chore(deps): bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 (#614) Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 0a70d07b..5d30437b 100644 --- a/go.mod +++ b/go.mod @@ -5,17 +5,17 @@ go 1.21 require ( github.com/go-logr/stdr v1.2.2 github.com/secure-systems-lab/go-securesystemslib v0.8.0 - github.com/sigstore/sigstore v1.8.1 + github.com/sigstore/sigstore v1.8.2 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 github.com/stretchr/testify v1.8.4 - golang.org/x/crypto v0.19.0 + golang.org/x/crypto v0.20.0 ) require ( github.com/davecgh/go-spew v1.1.1 // indirect github.com/go-logr/logr v1.3.0 // indirect - github.com/google/go-containerregistry v0.17.0 // indirect + github.com/google/go-containerregistry v0.19.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/kr/pretty v0.3.1 // indirect github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect diff --git a/go.sum b/go.sum index 9f973b23..65ed3713 100644 --- a/go.sum +++ b/go.sum @@ -18,8 +18,8 @@ github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.17.0 h1:5p+zYs/R4VGHkhyvgWurWrpJ2hW4Vv9fQI+GzdcwXLk= -github.com/google/go-containerregistry v0.17.0/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ= +github.com/google/go-containerregistry v0.19.0 h1:uIsMRBV7m/HDkDxE/nXMnv1q+lOOSPlQ/ywc5JbB8Ic= +github.com/google/go-containerregistry v0.19.0/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs= @@ -50,8 +50,8 @@ github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/f github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA= github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU= -github.com/sigstore/sigstore v1.8.1 h1:mAVposMb14oplk2h/bayPmIVdzbq2IhCgy4g6R0ZSjo= -github.com/sigstore/sigstore v1.8.1/go.mod h1:02SL1158BSj15bZyOFz7m+/nJzLZfFd9A8ab3Kz7w/E= +github.com/sigstore/sigstore v1.8.2 h1:0Ttjcn3V0fVQXlYq7+oHaaHkGFIt3ywm7SF4JTU/l8c= +github.com/sigstore/sigstore v1.8.2/go.mod h1:CHVcSyknCcjI4K2ZhS1SI28r0tcQyBlwtALG536x1DY= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= @@ -68,8 +68,8 @@ go.opentelemetry.io/otel v1.15.0 h1:NIl24d4eiLJPM0vKn4HjLYM+UZf6gSfi9Z+NmCxkWbk= go.opentelemetry.io/otel v1.15.0/go.mod h1:qfwLEbWhLPk5gyWrne4XnF0lC8wtywbuJbgfAE3zbek= go.opentelemetry.io/otel/trace v1.15.0 h1:5Fwje4O2ooOxkfyqI/kJwxWotggDLix4BSAvpE1wlpo= go.opentelemetry.io/otel/trace v1.15.0/go.mod h1:CUsmE2Ht1CRkvE8OsMESvraoZrrcgD1J2W8GV1ev0Y4= -golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo= -golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.20.0 h1:jmAMJJZXr5KiCw05dfYK9QnqaqKLYXijU23lsEdcQqg= +golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= From a3bb0f94403e0718684af8d6ac158e8badaa544f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Mar 2024 18:03:35 +0200 Subject: [PATCH 02/12] chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#615) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.4 to 1.9.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.4...v1.9.0) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5d30437b..46ad31c9 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/sigstore/sigstore v1.8.2 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 - github.com/stretchr/testify v1.8.4 + github.com/stretchr/testify v1.9.0 golang.org/x/crypto v0.20.0 ) diff --git a/go.sum b/go.sum index 65ed3713..fb1010f5 100644 --- a/go.sum +++ b/go.sum @@ -60,8 +60,8 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= go.opentelemetry.io/otel v1.15.0 h1:NIl24d4eiLJPM0vKn4HjLYM+UZf6gSfi9Z+NmCxkWbk= From 14cf07390179b12109657b4ce16ad1324f7ec106 Mon Sep 17 00:00:00 2001 From: Marvin Drees Date: Thu, 7 Mar 2024 17:13:15 +0100 Subject: [PATCH 03/12] chore(deps): use stdlib ed25519 instead of x (#620) * chore(deps): use stdlib ed25519 instead of x Signed-off-by: Marvin Drees * Update go.mod Signed-off-by: Radoslav Dimitrov --------- Signed-off-by: Marvin Drees Signed-off-by: Radoslav Dimitrov Co-authored-by: Radoslav Dimitrov --- examples/multirepo/repository/generate_metadata.go | 2 +- examples/repository/basic_repository.go | 2 +- go.mod | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/multirepo/repository/generate_metadata.go b/examples/multirepo/repository/generate_metadata.go index d6c886ed..bc329ed9 100644 --- a/examples/multirepo/repository/generate_metadata.go +++ b/examples/multirepo/repository/generate_metadata.go @@ -19,6 +19,7 @@ package main import ( "crypto" + "crypto/ed25519" "fmt" "os" "path/filepath" @@ -28,7 +29,6 @@ import ( "github.com/sigstore/sigstore/pkg/signature" "github.com/theupdateframework/go-tuf/v2/metadata" "github.com/theupdateframework/go-tuf/v2/metadata/repository" - "golang.org/x/crypto/ed25519" ) func main() { diff --git a/examples/repository/basic_repository.go b/examples/repository/basic_repository.go index e41ebaaa..459d4bb1 100644 --- a/examples/repository/basic_repository.go +++ b/examples/repository/basic_repository.go @@ -20,6 +20,7 @@ package main import ( "crypto" "crypto/ecdsa" + "crypto/ed25519" "crypto/elliptic" "crypto/rand" "crypto/rsa" @@ -31,7 +32,6 @@ import ( "github.com/sigstore/sigstore/pkg/signature" "github.com/theupdateframework/go-tuf/v2/metadata" "github.com/theupdateframework/go-tuf/v2/metadata/repository" - "golang.org/x/crypto/ed25519" ) // A TUF repository example using the low-level TUF Metadata API. diff --git a/go.mod b/go.mod index 46ad31c9..5a09b04a 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,6 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 github.com/stretchr/testify v1.9.0 - golang.org/x/crypto v0.20.0 ) require ( @@ -23,6 +22,7 @@ require ( github.com/pmezard/go-difflib v1.0.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect + golang.org/x/crypto v0.20.0 // indirect golang.org/x/sys v0.17.0 // indirect golang.org/x/term v0.17.0 // indirect google.golang.org/grpc v1.56.3 // indirect From 3b45acecec934bd21b6a98edde8a370ff8b3af91 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Mar 2024 18:18:59 +0200 Subject: [PATCH 04/12] chore(deps): bump golang.org/x/crypto from 0.20.0 to 0.21.0 (#621) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.20.0 to 0.21.0. - [Commits](https://github.com/golang/crypto/compare/v0.20.0...v0.21.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 5a09b04a..0609b494 100644 --- a/go.mod +++ b/go.mod @@ -22,9 +22,9 @@ require ( github.com/pmezard/go-difflib v1.0.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect - golang.org/x/crypto v0.20.0 // indirect - golang.org/x/sys v0.17.0 // indirect - golang.org/x/term v0.17.0 // indirect + golang.org/x/crypto v0.21.0 // indirect + golang.org/x/sys v0.18.0 // indirect + golang.org/x/term v0.18.0 // indirect google.golang.org/grpc v1.56.3 // indirect gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/go.sum b/go.sum index fb1010f5..5e520dee 100644 --- a/go.sum +++ b/go.sum @@ -68,13 +68,13 @@ go.opentelemetry.io/otel v1.15.0 h1:NIl24d4eiLJPM0vKn4HjLYM+UZf6gSfi9Z+NmCxkWbk= go.opentelemetry.io/otel v1.15.0/go.mod h1:qfwLEbWhLPk5gyWrne4XnF0lC8wtywbuJbgfAE3zbek= go.opentelemetry.io/otel/trace v1.15.0 h1:5Fwje4O2ooOxkfyqI/kJwxWotggDLix4BSAvpE1wlpo= go.opentelemetry.io/otel/trace v1.15.0/go.mod h1:CUsmE2Ht1CRkvE8OsMESvraoZrrcgD1J2W8GV1ev0Y4= -golang.org/x/crypto v0.20.0 h1:jmAMJJZXr5KiCw05dfYK9QnqaqKLYXijU23lsEdcQqg= -golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= -golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U= -golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= google.golang.org/grpc v1.56.3 h1:8I4C0Yq1EjstUzUJzpcRVbuYA2mODtEmpWiQoN/b2nc= From 064b4f6772f774f68812805ce276d95f50509465 Mon Sep 17 00:00:00 2001 From: Marvin Drees Date: Thu, 7 Mar 2024 17:22:51 +0100 Subject: [PATCH 05/12] chore(ci): bump action hashes (#618) This bumps all versions of the thirdparty GitHub actions used. Signed-off-by: Marvin Drees Co-authored-by: Radoslav Dimitrov --- .github/workflows/codeql-analysis.yml | 13 +++++++----- .github/workflows/examples.yml | 30 ++++++++++++++++++--------- .github/workflows/linting.yml | 9 ++++---- .github/workflows/tests.yml | 6 +++--- 4 files changed, 36 insertions(+), 22 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 9ad8eca6..5eeaeed4 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -37,14 +37,17 @@ jobs: # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 - - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f + - name: Checkout code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Setup - Go + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: 'go.mod' cache: true # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 + uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # 3.24.5 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -55,7 +58,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@74483a38d39275f33fcff5f35b679b5ca4a26a99 + uses: github/codeql-action/autobuild@47b3d888fe66b639e431abf22ebca059152f1eea # 3.24.5 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -69,4 +72,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 + uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # 3.24.5 diff --git a/.github/workflows/examples.yml b/.github/workflows/examples.yml index 72cd5546..58c323c2 100644 --- a/.github/workflows/examples.yml +++ b/.github/workflows/examples.yml @@ -28,12 +28,14 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout code - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Setup - Go - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: 'go.mod' cache: true + - run: make example-client repository: @@ -44,12 +46,14 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout code - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Setup - Go - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: 'go.mod' cache: true + - run: make example-repository multirepo: @@ -60,12 +64,14 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout code - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Setup - Go - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: 'go.mod' cache: true + - run: make example-multirepo tuf-client-cli: @@ -76,12 +82,14 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout code - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Setup - Go - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: 'go.mod' cache: true + - run: make example-tuf-client-cli root-signing: @@ -92,10 +100,12 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout code - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Setup - Go - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: 'go.mod' cache: true + - run: make example-root-signing diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 77fd731d..fede85f4 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -23,25 +23,26 @@ jobs: name: govulncheck steps: - id: govulncheck - uses: golang/govulncheck-action@7da72f730e37eeaad891fcff0a532d27ed737cd4 + uses: golang/govulncheck-action@3a32958c2706f7048305d5a2e53633d7e37e97d0 with: go-version-file: 'go.mod' go-package: ./... + golangci: name: golangci-lint runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup - Go - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: 'go.mod' cache: true - name: Run golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0 with: # Require: The version of golangci-lint to use. # When `install-mode` is `binary` (default) the value can be v1.2 or v1.2.3 or `latest` to use the latest version. diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index af62e2f3..23fb9365 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -30,10 +30,10 @@ jobs: run: git config --global core.autocrlf false - name: Checkout code - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup - Go - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: 'go.mod' cache: true @@ -42,4 +42,4 @@ jobs: run: go test -race -covermode=atomic -coverpkg=./metadata/... -coverprofile=coverage.out ./... - name: Send coverage - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d + uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # v4.1.0 From 25c2a57136ccdaaa0cb1aff1a1ff15950586c8bd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 8 Mar 2024 10:25:26 +0200 Subject: [PATCH 06/12] chore(deps): bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 (#622) Bumps gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3. --- updated-dependencies: - dependency-name: gopkg.in/go-jose/go-jose.v2 dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 0609b494..d79849fd 100644 --- a/go.mod +++ b/go.mod @@ -26,6 +26,6 @@ require ( golang.org/x/sys v0.18.0 // indirect golang.org/x/term v0.18.0 // indirect google.golang.org/grpc v1.56.3 // indirect - gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect + gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 5e520dee..61477a4b 100644 --- a/go.sum +++ b/go.sum @@ -84,8 +84,8 @@ google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/go-jose/go-jose.v2 v2.6.1 h1:qEzJlIDmG9q5VO0M/o8tGS65QMHMS1w01TQJB1VPJ4U= -gopkg.in/go-jose/go-jose.v2 v2.6.1/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI= +gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs= +gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= From 254decf23d9838c868ab5d0872cf30ef4fc68905 Mon Sep 17 00:00:00 2001 From: Marvin Drees Date: Fri, 8 Mar 2024 09:46:12 +0100 Subject: [PATCH 07/12] Silence govulncheck (#619) fix: ignore govulncheck hits This change should always allow the step to pass even on error. As the issue are often times fixed in stdlib, we'd have to bump our go.mod to a certain patch level which is undesirable. Otherwise having this check fail will always mark the CI pipeline as failed. Signed-off-by: Marvin Drees Co-authored-by: Radoslav Dimitrov --- .github/workflows/linting.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index fede85f4..932a9d5d 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -24,6 +24,7 @@ jobs: steps: - id: govulncheck uses: golang/govulncheck-action@3a32958c2706f7048305d5a2e53633d7e37e97d0 + continue-on-error: true with: go-version-file: 'go.mod' go-package: ./... From c893debc5c0bc79a42b2a17d4502c13043d2046a Mon Sep 17 00:00:00 2001 From: Marvin Drees Date: Fri, 8 Mar 2024 16:01:46 +0100 Subject: [PATCH 08/12] feat: replace logrus in sim with slog (#617) This removes another thirdparty dependecy without sacrificing any functionality. Signed-off-by: Marvin Drees --- go.mod | 1 - go.sum | 7 -- .../simulator/repository_simulator.go | 112 +++++++++--------- .../simulator/repository_simulator_setup.go | 38 +++--- .../updater/updater_top_level_update_test.go | 21 ++-- 5 files changed, 89 insertions(+), 90 deletions(-) diff --git a/go.mod b/go.mod index d79849fd..ba4c5d72 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,6 @@ require ( github.com/go-logr/stdr v1.2.2 github.com/secure-systems-lab/go-securesystemslib v0.8.0 github.com/sigstore/sigstore v1.8.2 - github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 github.com/stretchr/testify v1.9.0 ) diff --git a/go.sum b/go.sum index 61477a4b..bb0137c4 100644 --- a/go.sum +++ b/go.sum @@ -4,7 +4,6 @@ github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= @@ -52,14 +51,10 @@ github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbm github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU= github.com/sigstore/sigstore v1.8.2 h1:0Ttjcn3V0fVQXlYq7+oHaaHkGFIt3ywm7SF4JTU/l8c= github.com/sigstore/sigstore v1.8.2/go.mod h1:CHVcSyknCcjI4K2ZhS1SI28r0tcQyBlwtALG536x1DY= -github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= -github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= @@ -70,7 +65,6 @@ go.opentelemetry.io/otel/trace v1.15.0 h1:5Fwje4O2ooOxkfyqI/kJwxWotggDLix4BSAvpE go.opentelemetry.io/otel/trace v1.15.0/go.mod h1:CUsmE2Ht1CRkvE8OsMESvraoZrrcgD1J2W8GV1ev0Y4= golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= @@ -86,6 +80,5 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs= gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/internal/testutils/simulator/repository_simulator.go b/internal/testutils/simulator/repository_simulator.go index 76654e5e..535e0a3d 100644 --- a/internal/testutils/simulator/repository_simulator.go +++ b/internal/testutils/simulator/repository_simulator.go @@ -55,6 +55,7 @@ import ( "crypto/ed25519" "crypto/sha256" "fmt" + "log/slog" "net/url" "os" "path/filepath" @@ -64,7 +65,6 @@ import ( "time" "github.com/sigstore/sigstore/pkg/signature" - log "github.com/sirupsen/logrus" "github.com/theupdateframework/go-tuf/v2/metadata" "github.com/theupdateframework/go-tuf/v2/metadata/fetcher" ) @@ -165,12 +165,12 @@ func (rs *RepositorySimulator) setupMinimalValidRepository() { mtdkey, err := metadata.KeyFromPublicKey(*publicKey) if err != nil { - log.Fatalf("repository simulator: key conversion failed while setting repository: %v", err) + slog.Error("Repository simulator: key conversion failed while setting repository", "err", err) + os.Exit(1) } - err = rs.MDRoot.Signed.AddKey(mtdkey, role) - if err != nil { - log.Debugf("repository simulator: failed to add key: %v", err) + if err = rs.MDRoot.Signed.AddKey(mtdkey, role); err != nil { + slog.Error("Repository simulator: failed to add key", "err", err) } rs.AddSigner(role, mtdkey.ID(), *signer) } @@ -215,13 +215,14 @@ func (rs *RepositorySimulator) AllTargets() <-chan metadata.TargetsType { func CreateKey() (*ed25519.PublicKey, *ed25519.PrivateKey, *signature.Signer) { public, private, err := ed25519.GenerateKey(nil) if err != nil { - log.Printf("failed to generate key: %v", err) + slog.Error("Failed to generate key", "err", err) } signer, err := signature.LoadSigner(private, crypto.Hash(0)) if err != nil { - log.Printf("failed to load signer: %v", err) + slog.Error("failed to load signer", "err", err) } + return &public, &private, &signer } @@ -238,16 +239,16 @@ func (rs *RepositorySimulator) RotateKeys(role string) { for k := range rs.Signers[role] { delete(rs.Signers[role], k) } - for i := 0; i < rs.MDRoot.Signed.Roles[role].Threshold; i++ { + for i := 0; i < rs.MDRoot.Signed.Roles[role].Threshold; i++ { publicKey, _, signer := CreateKey() mtdkey, err := metadata.KeyFromPublicKey(*publicKey) if err != nil { - log.Fatalf("repository simulator: key conversion failed while rotating keys: %v", err) + slog.Error("Repository simulator: key conversion failed while rotating keys", "err", err) + os.Exit(1) } - err = rs.MDRoot.Signed.AddKey(mtdkey, role) - if err != nil { - log.Debugf("repository simulator: failed to add key: %v", err) + if err = rs.MDRoot.Signed.AddKey(mtdkey, role); err != nil { + slog.Error("Repository simulator: failed to add key", "err", err) } rs.AddSigner(role, mtdkey.ID(), *signer) } @@ -257,18 +258,18 @@ func (rs *RepositorySimulator) RotateKeys(role string) { func (rs *RepositorySimulator) PublishRoot() { rs.MDRoot.ClearSignatures() for _, signer := range rs.Signers[metadata.ROOT] { - _, err := rs.MDRoot.Sign(*signer) - if err != nil { - log.Debugf("repository simulator: failed to sign root: %v", err) + if _, err := rs.MDRoot.Sign(*signer); err != nil { + slog.Error("Repository simulator: failed to sign root", "err", err) } } mtd, err := rs.MDRoot.MarshalJSON() if err != nil { - log.Debugf("failed to marshal metadata while publishing root: %v", err) + slog.Error("Failed to marshal metadata while publishing root", "err", err) } rs.SignedRoots = append(rs.SignedRoots, mtd) - log.Debugf("published root v%d", rs.MDRoot.Signed.Version) + + slog.Info("Published root", "version", rs.MDRoot.Signed.Version) } func lastIndex(str string, delimiter string) (string, string, string) { @@ -344,7 +345,6 @@ func hasSuffix(path, prefix string) bool { } func (rs *RepositorySimulator) fetch(urlPath string) ([]byte, error) { - path, err := trimPrefix(urlPath, rs.LocalDir) if err != nil { return nil, err @@ -358,7 +358,7 @@ func (rs *RepositorySimulator) fetch(urlPath string) ([]byte, error) { if role == metadata.ROOT || (rs.MDRoot.Signed.ConsistentSnapshot && verAndName != metadata.TIMESTAMP) { version, err = strconv.Atoi(versionStr) if err != nil { - log.Printf("repository simulator: downloading file: failed to convert version: %v", err) + slog.Error("Repository simulator: downloading file: failed to convert version", "err", err) } } else { role = verAndName @@ -377,7 +377,7 @@ func (rs *RepositorySimulator) fetch(urlPath string) ([]byte, error) { targetPath = filepath.Join(dirParts, sep, filename) target, err := rs.FetchTarget(targetPath, prefix) if err != nil { - log.Printf("failed to fetch target: %v", err) + slog.Error("Failed to fetch target", "err", err) } return target, err } @@ -392,10 +392,12 @@ func (rs *RepositorySimulator) FetchTarget(targetPath string, targetHash string) if !ok { return nil, fmt.Errorf("no target %s", targetPath) } + if targetHash != "" && !contains(repoTarget.TargetFile.Hashes, []byte(targetHash)) { return nil, fmt.Errorf("hash mismatch for %s", targetPath) } - log.Printf("fetched target %s", targetPath) + + slog.Info("Fetched target", "path", targetPath) return repoTarget.Data, nil } @@ -417,10 +419,10 @@ func (rs *RepositorySimulator) FetchMetadata(role string, version *int) ([]byte, if role == metadata.ROOT { // Return a version previously serialized in PublishRoot() if version == nil || *version > len(rs.SignedRoots) && *version > 0 { - log.Printf("unknown root version %d", *version) + slog.Error("Unknown root version", "version", *version) return []byte{}, &metadata.ErrDownloadHTTP{StatusCode: 404} } - log.Printf("fetched root version %d", version) + slog.Info("Fetched root", "version", version) return rs.SignedRoots[*version-1], nil } @@ -434,7 +436,7 @@ func (rs *RepositorySimulator) FetchMetadata(role string, version *int) ([]byte, } else { md, ok := rs.MDDelegates[role] if !ok { - log.Printf("unknown role %s", role) + slog.Error("Unknown role", "role", role) return []byte{}, &metadata.ErrDownloadHTTP{StatusCode: 404} } return signMetadata(role, &md, rs) @@ -446,16 +448,15 @@ func signMetadata[T metadata.Roles](role string, md *metadata.Metadata[T], rs *R for _, signer := range rs.Signers[role] { // TODO: check if a bool argument should be added to Sign as in python-tuf // Not appending only for a local repo example !!! missing type for signers - _, err := md.Sign(*signer) - if err != nil { - log.Debugf("repository simulator: failed to sign metadata: %v", err) + if _, err := md.Sign(*signer); err != nil { + slog.Error("Repository simulator: failed to sign metadata", "err", err) } } // TODO: test if the version is the correct one // log.Printf("fetched %s v%d with %d sigs", role, md.GetVersion(), len(rs.Signers[role])) mtd, err := md.MarshalJSON() if err != nil { - log.Printf("failed to marshal metadata while signing for role %s: %v", role, err) + slog.Error("Failed to marshal metadata while signing for role", "role", role, "err", err) } return mtd, err } @@ -464,7 +465,7 @@ func (rs *RepositorySimulator) computeHashesAndLength(role string) (map[string]m noVersion := -1 data, err := rs.FetchMetadata(role, &noVersion) if err != nil { - log.Debugf("failed to fetch metadata: %v", err) + slog.Error("Failed to fetch metadata", "err", err) } digest := sha256.Sum256(data) hashes := map[string]metadata.HexBytes{"sha256": digest[:]} @@ -522,7 +523,8 @@ func (rs *RepositorySimulator) AddTarget(role string, data []byte, path string) targets := rs.getDelegator(role) target, err := metadata.TargetFile().FromBytes(path, data, "sha256") if err != nil { - log.Panicf("failed to add target from %s: %v", path, err) + slog.Error("Failed to add target", "path", path, "err", err) + os.Exit(1) } targets.Targets[path] = target rs.TargetFiles[path] = RepositoryTarget{ @@ -535,7 +537,8 @@ func (rs *RepositorySimulator) AddTarget(role string, data []byte, path string) func (rs *RepositorySimulator) AddDelegation(delegatorName string, role metadata.DelegatedRole, targets metadata.TargetsType) { delegator := rs.getDelegator(delegatorName) if delegator.Delegations != nil && delegator.Delegations.SuccinctRoles != nil { - log.Fatalln("can't add a role when SuccinctRoles is used") + slog.Error("Can't add a role when SuccinctRoles is used") + os.Exit(1) } // Create delegation if delegator.Delegations == nil { @@ -551,11 +554,11 @@ func (rs *RepositorySimulator) AddDelegation(delegatorName string, role metadata publicKey, _, signer := CreateKey() mdkey, err := metadata.KeyFromPublicKey(*publicKey) if err != nil { - log.Fatalf("repository simulator: key conversion failed while adding delegation: %v", err) + slog.Error("Repository simulator: key conversion failed while adding delegation", "err", err) + os.Exit(1) } - err = delegator.AddKey(mdkey, role.Name) - if err != nil { - log.Debugf("repository simulator: failed to add key: %v", err) + if err = delegator.AddKey(mdkey, role.Name); err != nil { + slog.Error("Repository simulator: failed to add key", "err", err) } rs.AddSigner(role.Name, mdkey.ID(), *signer) if _, ok := rs.MDDelegates[role.Name]; !ok { @@ -573,12 +576,14 @@ func (rs *RepositorySimulator) AddDelegation(delegatorName string, role metadata func (rs *RepositorySimulator) AddSuccinctRoles(delegatorName string, bitLength int, namePrefix string) { delegator := rs.getDelegator(delegatorName) if delegator.Delegations != nil && delegator.Delegations.Roles != nil { - log.Fatalln("can't add a SuccinctRoles when delegated roles are used") + slog.Error("Can't add a SuccinctRoles when delegated roles are used") + os.Exit(1) } publicKey, _, signer := CreateKey() mdkey, err := metadata.KeyFromPublicKey(*publicKey) if err != nil { - log.Fatalf("repository simulator: key conversion failed while adding succinct roles: %v", err) + slog.Error("Repository simulator: key conversion failed while adding succinct roles", "err", err) + os.Exit(1) } succinctRoles := &metadata.SuccinctRoles{ KeyIDs: []string{}, @@ -596,9 +601,8 @@ func (rs *RepositorySimulator) AddSuccinctRoles(delegatorName string, bitLength } rs.AddSigner(delegatedName, mdkey.ID(), *signer) } - err = delegator.AddKey(mdkey, metadata.TARGETS) - if err != nil { - log.Debugf("repository simulator: failed to add key: %v", err) + if err = delegator.AddKey(mdkey, metadata.TARGETS); err != nil { + slog.Error("Repository simulator: failed to add key", "err", err) } } @@ -609,24 +613,22 @@ func (rs *RepositorySimulator) AddSuccinctRoles(delegatorName string, bitLength func (rs *RepositorySimulator) Write() { if rs.DumpDir == "" { rs.DumpDir = os.TempDir() - log.Debugf("Repository Simulator dumps in %s\n", rs.DumpDir) + slog.Info("Repository Simulator dumps into tmp dir", "path", rs.DumpDir) } rs.DumpVersion += 1 destDir := filepath.Join(rs.DumpDir, strconv.Itoa(int(rs.DumpVersion))) - err := os.MkdirAll(destDir, os.ModePerm) - if err != nil { - log.Debugf("repository simulator: failed to create dir: %v", err) + if err := os.MkdirAll(destDir, os.ModePerm); err != nil { + slog.Error("Repository simulator: failed to create dir", "err", err) } for ver := 1; ver < len(rs.SignedRoots)+1; ver++ { f, _ := os.Create(filepath.Join(destDir, fmt.Sprintf("%d.root.json", ver))) defer f.Close() meta, err := rs.FetchMetadata(metadata.ROOT, &ver) if err != nil { - log.Debugf("failed to fetch metadata: %v", err) + slog.Error("Failed to fetch metadata", "err", err) } - _, err = f.Write(meta) - if err != nil { - log.Debugf("repository simulator: failed to write signed roots: %v", err) + if _, err = f.Write(meta); err != nil { + slog.Error("Repository simulator: failed to write signed roots", "err", err) } } noVersion := -1 @@ -635,11 +637,10 @@ func (rs *RepositorySimulator) Write() { defer f.Close() meta, err := rs.FetchMetadata(role, &noVersion) if err != nil { - log.Debugf("failed to fetch metadata: %v", err) + slog.Error("Failed to fetch metadata", "err", err) } - _, err = f.Write(meta) - if err != nil { - log.Debugf("repository simulator: failed to write signed roots: %v", err) + if _, err = f.Write(meta); err != nil { + slog.Error("Repository simulator: failed to write signed roots", "err", err) } } for role := range rs.MDDelegates { @@ -648,11 +649,10 @@ func (rs *RepositorySimulator) Write() { defer f.Close() meta, err := rs.FetchMetadata(role, &noVersion) if err != nil { - log.Debugf("failed to fetch metadata: %v", err) + slog.Error("Failed to fetch metadata", "err", err) } - _, err = f.Write(meta) - if err != nil { - log.Debugf("repository simulator: failed to write signed roots: %v", err) + if _, err = f.Write(meta); err != nil { + slog.Error("Repository simulator: failed to write signed roots", "err", err) } } } diff --git a/internal/testutils/simulator/repository_simulator_setup.go b/internal/testutils/simulator/repository_simulator_setup.go index 38260951..32e32e71 100644 --- a/internal/testutils/simulator/repository_simulator_setup.go +++ b/internal/testutils/simulator/repository_simulator_setup.go @@ -18,11 +18,10 @@ package simulator import ( + "log/slog" "os" "path/filepath" "time" - - log "github.com/sirupsen/logrus" ) var ( @@ -41,44 +40,47 @@ var ( ) func InitLocalEnv() error { - tmp := os.TempDir() tmpDir, err := os.MkdirTemp(tmp, "0750") if err != nil { - log.Fatal("failed to create temporary directory: ", err) + slog.Error("Failed to create temporary directory", "err", err) + os.Exit(1) } - err = os.Mkdir(tmpDir+metadataPath, 0750) - if err != nil { - log.Debugf("repository simulator: failed to create dir: %v", err) + if err = os.Mkdir(tmpDir+metadataPath, 0750); err != nil { + slog.Error("Repository simulator: failed to create dir", "err", err) } - err = os.Mkdir(tmpDir+targetsPath, 0750) - if err != nil { - log.Debugf("repository simulator: failed to create dir: %v", err) + + if err = os.Mkdir(tmpDir+targetsPath, 0750); err != nil { + slog.Error("Repository simulator: failed to create dir", "err", err) } + LocalDir = tmpDir + return nil } func InitMetadataDir() (*RepositorySimulator, string, string, error) { - err := InitLocalEnv() - if err != nil { - log.Fatal("failed to initialize environment: ", err) + if err := InitLocalEnv(); err != nil { + slog.Error("Failed to initialize environment", "err", err) + os.Exit(1) } + metadataDir := filepath.Join(LocalDir, metadataPath) sim := NewRepository() f, err := os.Create(filepath.Join(metadataDir, "root.json")) if err != nil { - log.Fatalf("failed to create root: %v", err) + slog.Error("Failed to create root", "err", err) + os.Exit(1) } - _, err = f.Write(sim.SignedRoots[0]) - if err != nil { - log.Debugf("repository simulator setup: failed to write signed roots: %v", err) + if _, err = f.Write(sim.SignedRoots[0]); err != nil { + slog.Error("Repository simulator setup: failed to write signed roots", "err", err) } + targetsDir := filepath.Join(LocalDir, targetsPath) sim.LocalDir = LocalDir return sim, metadataDir, targetsDir, err @@ -89,6 +91,6 @@ func GetRootBytes(localMetadataDir string) ([]byte, error) { } func RepositoryCleanup(tmpDir string) { - log.Printf("Cleaning temporary directory: %s\n", tmpDir) + slog.Info("Cleaning temporary directory", "dir", tmpDir) os.RemoveAll(tmpDir) } diff --git a/metadata/updater/updater_top_level_update_test.go b/metadata/updater/updater_top_level_update_test.go index a63a359b..42715fb0 100644 --- a/metadata/updater/updater_top_level_update_test.go +++ b/metadata/updater/updater_top_level_update_test.go @@ -19,13 +19,13 @@ package updater import ( "fmt" + "log/slog" "os" "path/filepath" "testing" "time" "github.com/sigstore/sigstore/pkg/signature" - log "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" "github.com/theupdateframework/go-tuf/v2/internal/testutils" @@ -40,7 +40,8 @@ func TestMain(m *testing.M) { if err != nil { simulator.RepositoryCleanup(simulator.MetadataDir) - log.Fatalf("failed to load TrustedRootMetadata: %v\n", err) + slog.Error("Failed to load TrustedRootMetadata", "err", err) + os.Exit(1) } defer simulator.RepositoryCleanup(simulator.MetadataDir) @@ -48,19 +49,21 @@ func TestMain(m *testing.M) { } func loadOrResetTrustedRootMetadata() error { + // TODO: This should be a t.Helper() function var err error simulator.Sim, simulator.MetadataDir, testutils.TargetsDir, err = simulator.InitMetadataDir() if err != nil { - log.Printf("failed to initialize metadata dir: %v", err) + slog.Error("Failed to initialize metadata dir", "err", err) return err } simulator.RootBytes, err = simulator.GetRootBytes(simulator.MetadataDir) if err != nil { - log.Printf("failed to load root bytes: %v", err) + slog.Error("Failed to load root bytes", "err", err) return err } + return nil } @@ -90,14 +93,15 @@ func runRefresh(updaterConfig *config.UpdaterConfig, moveInTime time.Time) (Upda updater, err := New(updaterConfig) if err != nil { - log.Debugf("failed to create new updater config: %v", err) + slog.Error("Failed to create new updater config", "err", err) return Updater{}, err } + if moveInTime != time.Now() { updater.trusted.RefTime = moveInTime } - err = updater.Refresh() - return *updater, err + + return *updater, updater.Refresh() } func initUpdater(updaterConfig *config.UpdaterConfig) *Updater { @@ -107,8 +111,9 @@ func initUpdater(updaterConfig *config.UpdaterConfig) *Updater { updater, err := New(updaterConfig) if err != nil { - log.Debugf("failed to create new updater config: %v", err) + slog.Error("Failed to create new updater config", "err", err) } + return updater } From dfa2ae12638e17fa42596aaf4fcefc4cf4cc3788 Mon Sep 17 00:00:00 2001 From: udf2457 Date: Fri, 8 Mar 2024 17:07:14 +0000 Subject: [PATCH 09/12] repository_simulator_setup.go: Use filepath.Join() instead of concatenation (#624) Update repository_simulator_setup.go Use filepath.Join() instead of concatenation Signed-off-by: udf2457 --- internal/testutils/simulator/repository_simulator_setup.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/testutils/simulator/repository_simulator_setup.go b/internal/testutils/simulator/repository_simulator_setup.go index 32e32e71..70abae98 100644 --- a/internal/testutils/simulator/repository_simulator_setup.go +++ b/internal/testutils/simulator/repository_simulator_setup.go @@ -48,11 +48,11 @@ func InitLocalEnv() error { os.Exit(1) } - if err = os.Mkdir(tmpDir+metadataPath, 0750); err != nil { + if err = os.Mkdir(filepath.Join(tmpDir,metadataPath), 0750); err != nil { slog.Error("Repository simulator: failed to create dir", "err", err) } - if err = os.Mkdir(tmpDir+targetsPath, 0750); err != nil { + if err = os.Mkdir(filepath.Join(tmpDir,targetsPath), 0750); err != nil { slog.Error("Repository simulator: failed to create dir", "err", err) } From 48216cfc42444c3eaa974718091986a08c8c9f44 Mon Sep 17 00:00:00 2001 From: Radoslav Dimitrov Date: Sat, 9 Mar 2024 03:42:20 +0200 Subject: [PATCH 10/12] Fixes README references from rdimitrov/go-tuf-metadata to theupdateframework/go-tuf (#626) * Update README.md Signed-off-by: Radoslav Dimitrov * Update README.md Signed-off-by: Radoslav Dimitrov --------- Signed-off-by: Radoslav Dimitrov --- README.md | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 7a3f99e5..4bea9a3c 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ -![GitHub Workflow Status (with branch)](https://img.shields.io/github/actions/workflow/status/rdimitrov/go-tuf-metadata/ci.yml?branch=main) -[![codecov](https://codecov.io/github/rdimitrov/go-tuf-metadata/branch/main/graph/badge.svg?token=2ZUA68ZL13)](https://codecov.io/github/rdimitrov/go-tuf-metadata) -[![Go Reference](https://pkg.go.dev/badge/github.com/rdimitrov/go-tuf-metadata.svg)](https://pkg.go.dev/github.com/rdimitrov/go-tuf-metadata) -[![Go Report Card](https://goreportcard.com/badge/github.com/rdimitrov/go-tuf-metadata)](https://goreportcard.com/report/github.com/rdimitrov/go-tuf-metadata) +![GitHub Workflow Status (with branch)](https://img.shields.io/github/actions/workflow/status/theupdateframework/go-tuf/ci.yml?branch=master) +[![codecov](https://codecov.io/github/theupdateframework/go-tuf/branch/master/graph/badge.svg?token=2ZUA68ZL13)](https://codecov.io/github/theupdateframework/go-tuf) +[![Go Reference](https://pkg.go.dev/badge/github.com/theupdateframework/go-tuf.svg)](https://pkg.go.dev/github.com/theupdateframework/go-tuf) +[![Go Report Card](https://goreportcard.com/badge/github.com/theupdateframework/go-tuf)](https://goreportcard.com/report/github.com/theupdateframework/go-tuf) [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) -# TUF A Framework for Securing Software Update Systems +# TUF go-tuf/v2 - Framework for Securing Software Update Systems ---------------------------- @@ -12,9 +12,6 @@ secure content delivery and updates. It protects against various types of supply chain attacks and provides resilience to compromise. -[go-tuf-metadata](https://github.com/rdimitrov/go-tuf-metadata) started from the idea of providing a Go implementation of TUF that is heavily influenced by the -design decisions made in [python-tuf](https://github.com/theupdateframework/python-tuf). - ## About The Update Framework ---------------------------- @@ -37,16 +34,16 @@ Please see [TUF's website](https://theupdateframework.com/) for more information ---------------------------- -The [go-tuf-metadata](https://github.com/rdimitrov/go-tuf-metadata) project provides the following functionality: +The go-tuf v2 project provides a lightweight library with the following functionality: -* creation, reading, and writing of metadata -* an easy object-oriented approach for interacting with metadata +* creation, reading, and writing of TUF metadata +* an easy object-oriented approach for interacting with TUF metadata * consistent snapshots -* signing and verifying metadata +* signing and verifying TUF metadata * ED25519, RSA, and ECDSA key types referenced by the latest TUF specification * top-level role delegation * target delegation via standard and hash bin delegations -* support of [succinct hash bin delegations](https://github.com/theupdateframework/taps/blob/master/tap15.md) which significantly reduce the size of metadata +* support of [succinct hash bin delegations](https://github.com/theupdateframework/taps/blob/master/tap15.md) which significantly reduce the size of the TUF metadata * support for unrecognized fields within the metadata (i.e. preserved and accessible through `root.Signed.UnrecognizedFields["some-unknown-field"]`, also used for verifying/signing (if included in the Signed portion of the metadata)) * TUF client API * TUF multi-repository client API (implements [TAP 4 - Multiple repository consensus on entrusted targets](https://github.com/theupdateframework/taps/blob/master/tap4.md)) @@ -55,6 +52,8 @@ The [go-tuf-metadata](https://github.com/rdimitrov/go-tuf-metadata) project prov ---------------------------- +There are several examples that can act as a guideline on how to use the library and its features. Some of which are: + * [basic_repository.go](examples/repository/basic_repository.go) example which demonstrates how to *manually* create and maintain repository metadata using the low-level Metadata API. @@ -114,17 +113,21 @@ and can be used to implement various TUF clients with relatively little effort. ---------------------------- -* [go-tuf-metadata documentation](https://pkg.go.dev/github.com/rdimitrov/go-tuf-metadata) +* [Documentation](https://pkg.go.dev/github.com/theupdateframework/go-tuf) * [Introduction to TUF's Design](https://theupdateframework.io/overview/) * [The TUF Specification](https://theupdateframework.github.io/specification/latest/) +## History - legacy go-tuf vs go-tuf/v2 + +The [legacy go-tuf (v0.7.0)](https://github.com/theupdateframework/go-tuf/tree/v0.7.0) codebase was difficult to maintain and prone to errors due to its initial design decisions. Now it is considered deprecated in favour of go-tuf v2 (originaly from [rdimitrov/go-tuf-metadata](https://github.com/rdimitrov/go-tuf-metadata)) which started from the idea of providing a Go implementation of TUF that is heavily influenced by the design decisions made in [python-tuf](https://github.com/theupdateframework/python-tuf). + ## Contact ---------------------------- -Questions, feedback, and suggestions are welcomed on the [#tuf](https://cloud-native.slack.com/archives/C8NMD3QJ3) channel on +Questions, feedback, and suggestions are welcomed on the [#tuf](https://cloud-native.slack.com/archives/C8NMD3QJ3) and/or [#go-tuf](https://cloud-native.slack.com/archives/C02D577GX54) channels on [CNCF Slack](https://slack.cncf.io/). We strive to make the specification easy to implement, so if you come across From a5740b41676d740d3f91c88d14a5877a3562d2d4 Mon Sep 17 00:00:00 2001 From: Joel Kamp Date: Tue, 2 Apr 2024 07:38:42 -0500 Subject: [PATCH 11/12] fix: use SHA384 for ECDSA P384 (#629) Signed-off-by: mrjoelkamp Co-authored-by: Fredrik Skogman --- metadata/keys.go | 1 + metadata/metadata.go | 9 ++++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/metadata/keys.go b/metadata/keys.go index b567c6ab..57e38612 100644 --- a/metadata/keys.go +++ b/metadata/keys.go @@ -38,6 +38,7 @@ const ( KeyTypeRSASSA_PSS_SHA256 = "rsa" KeySchemeEd25519 = "ed25519" KeySchemeECDSA_SHA2_P256 = "ecdsa-sha2-nistp256" + KeySchemeECDSA_SHA2_P384 = "ecdsa-sha2-nistp384" KeySchemeRSASSA_PSS_SHA256 = "rsassa-pss-sha256" ) diff --git a/metadata/metadata.go b/metadata/metadata.go index 8bfecbb6..dc407ba8 100644 --- a/metadata/metadata.go +++ b/metadata/metadata.go @@ -312,7 +312,14 @@ func (meta *Metadata[T]) VerifyDelegate(delegatedRole string, delegatedMetadata // use corresponding hash function for key type hash := crypto.Hash(0) if key.Type != KeyTypeEd25519 { - hash = crypto.SHA256 + switch key.Scheme { + case KeySchemeECDSA_SHA2_P256: + hash = crypto.SHA256 + case KeySchemeECDSA_SHA2_P384: + hash = crypto.SHA384 + default: + hash = crypto.SHA256 + } } // load a verifier based on that key verifier, err := signature.LoadVerifier(publicKey, hash) From b2e024ad4752cc0c4a4e376460b21deb79e40ded Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Apr 2024 12:41:31 -0400 Subject: [PATCH 12/12] chore(deps): bump github.com/sigstore/sigstore from 1.8.2 to 1.8.3 (#627) Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.8.2 to 1.8.3. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Radoslav Dimitrov --- go.mod | 2 +- go.sum | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index ba4c5d72..66c8f849 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.21 require ( github.com/go-logr/stdr v1.2.2 github.com/secure-systems-lab/go-securesystemslib v0.8.0 - github.com/sigstore/sigstore v1.8.2 + github.com/sigstore/sigstore v1.8.3 github.com/spf13/cobra v1.8.0 github.com/stretchr/testify v1.9.0 ) diff --git a/go.sum b/go.sum index bb0137c4..a817387c 100644 --- a/go.sum +++ b/go.sum @@ -49,8 +49,8 @@ github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/f github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA= github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU= -github.com/sigstore/sigstore v1.8.2 h1:0Ttjcn3V0fVQXlYq7+oHaaHkGFIt3ywm7SF4JTU/l8c= -github.com/sigstore/sigstore v1.8.2/go.mod h1:CHVcSyknCcjI4K2ZhS1SI28r0tcQyBlwtALG536x1DY= +github.com/sigstore/sigstore v1.8.3 h1:G7LVXqL+ekgYtYdksBks9B38dPoIsbscjQJX/MGWkA4= +github.com/sigstore/sigstore v1.8.3/go.mod h1:mqbTEariiGA94cn6G3xnDiV6BD8eSLdL/eA7bvJ0fVs= github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -73,8 +73,8 @@ google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= google.golang.org/grpc v1.56.3 h1:8I4C0Yq1EjstUzUJzpcRVbuYA2mODtEmpWiQoN/b2nc= google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=