Merge pull request #485 from jku/minimal-tuf-upgrade

TUF upgrade

Author: jku

action-constraints.txt

@@ -6,8 +6,6 @@
 #
 annotated-types==0.7.0
     # via pydantic
-appdirs==1.4.4
-    # via sigstore
 azure-core==1.32.0
     # via
     #   azure-identity
@@ -30,9 +28,7 @@ cachetools==5.5.0
 certifi==2024.8.30
     # via requests
 cffi==1.17.1
-    # via
-    #   cryptography
-    #   pynacl
+    # via cryptography
 charset-normalizer==3.4.0
     # via requests
 click==8.1.7
@@ -105,6 +101,8 @@ msal-extensions==1.2.0
     # via azure-identity
 multidict==6.1.0
     # via grpclib
+platformdirs==4.3.6
+    # via sigstore
 portalocker==2.10.1
     # via msal-extensions
 proto-plus==1.25.0
@@ -123,11 +121,12 @@ pyasn1==0.6.1
     # via
     #   pyasn1-modules
     #   rsa
+    #   sigstore
 pyasn1-modules==0.4.1
     # via google-auth
 pycparser==2.22
     # via cffi
-pydantic==2.10.1
+pydantic==2.10.2
     # via
     #   id
     #   sigstore
@@ -136,13 +135,11 @@ pydantic-core==2.27.1
     # via pydantic
 pygments==2.18.0
     # via rich
-pyjwt==2.10.0
+pyjwt==2.10.1
     # via
     #   msal
     #   sigstore
-pynacl==1.5.0
-    # via securesystemslib
-pyopenssl==24.2.1
+pyopenssl==24.3.0
     # via sigstore
 python-dateutil==2.9.0.post0
     # via
@@ -156,28 +153,29 @@ requests==2.32.3
     #   msal
     #   sigstore
     #   tuf
+rfc8785==0.1.4
+    # via sigstore
 rich==13.9.4
     # via sigstore
 rsa==4.9
     # via google-auth
 s3transfer==0.10.4
     # via boto3
-securesystemslib==0.31.0
+securesystemslib==1.2.0
     # via
-    #   sigstore
     #   tuf
     #   tuf-on-ci (repo/pyproject.toml)
-sigstore==2.1.5
+sigstore==3.5.3
     # via securesystemslib
 sigstore-protobuf-specs==0.3.2
     # via sigstore
-sigstore-rekor-types==0.0.11
+sigstore-rekor-types==0.0.13
     # via sigstore
 six==1.16.0
     # via
     #   azure-core
     #   python-dateutil
-tuf==3.1.1
+tuf==5.1.0
     # via
     #   sigstore
     #   tuf-on-ci (repo/pyproject.toml)

repo/pyproject.toml

@@ -11,8 +11,8 @@ name = "tuf-on-ci"
 description = "TUF-on-CI repository tools, intended to be executed on a CI system"
 readme = "README.md"
 dependencies = [
-  "securesystemslib[awskms, azurekms, gcpkms, sigstore, pynacl] ~= 0.31.0",
-  "tuf ~= 3.1",
+  "securesystemslib[awskms, azurekms, gcpkms, sigstore] ~= 1.2",
+  "tuf ~= 5.1",
   "click ~= 8.1",
 ]
 requires-python = ">=3.10"

repo/tuf_on_ci/_repository.py

@@ -3,7 +3,7 @@
 import os
 import shutil
 from dataclasses import dataclass
-from datetime import datetime, timedelta
+from datetime import UTC, datetime, timedelta
 from enum import Enum, unique
 from glob import glob
 
@@ -222,7 +222,7 @@ def close(self, rolename: str, md: Metadata) -> None:
 
         _, expiry_days = self.signing_expiry_period(rolename)
 
-        md.signed.expires = datetime.utcnow() + timedelta(days=expiry_days)
+        md.signed.expires = datetime.now(UTC) + timedelta(days=expiry_days)
 
         md.signatures.clear()
         for key in self._get_keys(rolename):
@@ -244,9 +244,8 @@ def close(self, rolename: str, md: Metadata) -> None:
                 md.signatures[key.keyid] = Signature(key.keyid, "")
 
         if rolename in ["timestamp", "snapshot"]:
-            root_md: Metadata[Root] = self.open("root")
             # repository should never write unsigned online roles
-            root_md.verify_delegate(rolename, md)
+            self.root().verify_delegate(rolename, md.signed_bytes, md.signatures)
 
         self._write(rolename, md)
 
@@ -321,7 +320,7 @@ def open_prev(self, role: str) -> Metadata | None:
         return None
 
     def _validate_role(
-        self, delegator: Metadata, rolename: str
+        self, delegator: Root | Targets, rolename: str
     ) -> tuple[bool, str | None]:
         """Validate role compatibility with this repository
 
@@ -340,7 +339,7 @@ def _validate_role(
             return False, f"Version {md.signed.version} is not valid for {rolename}"
 
         days = md.signed.unrecognized_fields["x-tuf-on-ci-expiry-period"]
-        if md.signed.expires > datetime.utcnow() + timedelta(days=days):
+        if md.signed.expires > datetime.now(UTC) + timedelta(days=days):
             return False, f"Expiry date is further than expected {days} days ahead"
 
         if isinstance(md.signed, Root):
@@ -384,7 +383,7 @@ def _validate_role(
         # * check that target files in metadata match the files in targets/
 
         try:
-            delegator.verify_delegate(rolename, md)
+            delegator.verify_delegate(rolename, md.signed_bytes, md.signatures)
         except UnsignedMetadataError:
             return False, None
 
@@ -483,16 +482,18 @@ def _get_signing_status(
         # Find delegating metadata. For root handle the special case of known good
         # delegating metadata.
         if known_good:
-            delegator = None
+            delegator: Root | Targets | None = None
             if rolename == "root":
-                delegator = self.open_prev("root")
+                root_md = self.open_prev("root")
+                if root_md:
+                    delegator = root_md.signed
             if not delegator:
                 # Not root role or there is no known-good root metadata yet
                 return None
         elif rolename in ["root", "targets"]:
-            delegator = self.open("root")
+            delegator = self.root()
         else:
-            delegator = self.open("targets")
+            delegator = self.targets()
 
         # Build list of invites to all delegated roles of rolename
         delegation_names = []
@@ -503,7 +504,7 @@ def _get_signing_status(
         for delegation_name in delegation_names:
             invites.update(self.state.invited_signers_for_role(delegation_name))
 
-        role = delegator.signed.get_delegated_role(rolename)
+        role = delegator.get_delegated_role(rolename)
 
         # Build lists of signed signers and not signed signers
         for key in self._get_keys(rolename, known_good):
@@ -585,15 +586,14 @@ def build(self, metadata_path: str, artifact_path: str | None):
 
     def bump_expiring(self, rolename: str) -> int | None:
         """Create a new version of role if it is about to expire"""
-        now = datetime.utcnow()
         bumped = True
 
         with self.edit(rolename) as signed:
             signing_days, _ = self.signing_expiry_period(rolename)
             delta = timedelta(days=signing_days)
 
             logger.debug(f"{rolename} signing period starts {signed.expires - delta}")
-            if now + delta < signed.expires:
+            if datetime.now(UTC) + delta < signed.expires:
                 # no need to bump version
                 bumped = False
                 raise AbortEdit
@@ -622,13 +622,13 @@ def update_targets(self, rolename: str) -> bool:
 
     def is_signed(self, rolename: str) -> bool:
         """Return True if role is correctly signed"""
-        role_md = self.open(rolename)
+        md = self.open(rolename)
         if rolename in ["root", "timestamp", "snapshot", "targets"]:
-            delegator = self.open("root")
+            delegator: Root | Targets = self.root()
         else:
-            delegator = self.open("targets")
+            delegator = self.targets()
         try:
-            delegator.verify_delegate(rolename, role_md)
+            delegator.verify_delegate(rolename, md.signed_bytes, md.signatures)
         except UnsignedMetadataError:
             return False
 
@@ -639,4 +639,4 @@ def is_in_signing_period(self, rolename: str) -> bool:
         role_md = self.open(rolename)
         signing_days, _ = self.signing_expiry_period(rolename)
         delta = timedelta(days=signing_days)
-        return datetime.utcnow() >= role_md.signed.expires - delta
+        return datetime.now(UTC) >= role_md.signed.expires - delta

signer/pyproject.toml

@@ -7,10 +7,10 @@ name = "tuf-on-ci-sign"
 description = "Signing tools for TUF-on-CI"
 readme = "README.md"
 dependencies = [
-  "packaging >= 23.2,< 25.0",
+  "packaging ~= 24.0",
   "platformdirs ~= 4.2",
-  "securesystemslib[awskms,azurekms,gcpkms,hsm,sigstore] ~= 0.31.0",
-  "tuf ~= 3.1",
+  "securesystemslib[awskms,azurekms,gcpkms,hsm,sigstore] ~= 1.2",
+  "tuf ~= 5.1",
   "click ~= 8.1",
 ]
 requires-python = ">=3.9"

signer/tuf_on_ci_sign/_signer_repository.py

@@ -11,7 +11,7 @@
 import os
 from contextlib import AbstractContextManager
 from dataclasses import dataclass
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, timezone
 from enum import Enum, unique
 
 import click
@@ -348,7 +348,7 @@ def close(self, role: str, md: Metadata) -> None:
 
         # Set expiry based on custom metadata
         days = md.signed.unrecognized_fields["x-tuf-on-ci-expiry-period"]
-        md.signed.expires = datetime.utcnow() + timedelta(days=days)
+        md.signed.expires = datetime.now(timezone.utc) + timedelta(days=days)
 
         # figure out if there are open invites to delegations of this role
         open_invites = False

signer/tuf_on_ci_sign/delegate.py

@@ -260,7 +260,7 @@ def _collect_online_key(user_config: User) -> Key:
         if choice == 0:
             # This could be generic support, but for now it's a hidden test key.
             # key value 1d9a024348e413892aeeb8cc8449309c152f48177200ee61a02ae56f450c6480
-            uri = "envvar:LOCAL_TESTING_KEY"
+            uri = f"file2:{os.getenv('TUF_ON_CI_TEST_KEY')}"
             pub_key = "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
             return SSlibKey(
                 "fa47289",

tests/e2e.sh

@@ -16,7 +16,6 @@
 # Python dependencies
 # * signer: pip install ./signer/
 # * repo: pip install ./repo/
-# * pynacl: pip install pynacl  # for the testing ed25519 key
 #
 #
 # Set DEBUG_TESTS=1 for more visibility. This will leave the temp directories in place.
@@ -519,7 +518,7 @@ repo_online_sign()
 
     cd $REPO_GIT
 
-    if LOCAL_TESTING_KEY=$ONLINE_KEY tuf-on-ci-online-sign --push >> $REPO_DIR/out 2>&1; then
+    if tuf-on-ci-online-sign --push >> $REPO_DIR/out 2>&1; then
         echo "generated=true" >> $REPO_DIR/out
     else
         echo "generated=false" >> $REPO_DIR/out
@@ -917,7 +916,9 @@ export TZ="UTC"
 WORK_DIR=$(mktemp -d)
 SCRIPT_DIR=$(dirname $(readlink -f "$0"))
 
-ONLINE_KEY="1d9a024348e413892aeeb8cc8449309c152f48177200ee61a02ae56f450c6480"
+# setup online signing workaround with file based key
+export TUF_ON_CI_TEST_KEY=online-test-key
+export CRYPTO_SIGNER_PATH_PREFIX=$SCRIPT_DIR
 
 # Run tests
 test_basic

tests/expected/basic/metadata/1.root.json

@@ -24,7 +24,7 @@
      "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
     },
     "scheme": "ed25519",
-    "x-tuf-on-ci-online-uri": "envvar:LOCAL_TESTING_KEY"
+    "x-tuf-on-ci-online-uri": "file2:online-test-key"
    }
   },
   "roles": {

tests/expected/delegated/metadata/1.root.json

@@ -24,7 +24,7 @@
      "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
     },
     "scheme": "ed25519",
-    "x-tuf-on-ci-online-uri": "envvar:LOCAL_TESTING_KEY"
+    "x-tuf-on-ci-online-uri": "file2:online-test-key"
    }
   },
   "roles": {

tests/expected/multi-user-signing/metadata/1.root.json

@@ -32,7 +32,7 @@
      "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
     },
     "scheme": "ed25519",
-    "x-tuf-on-ci-online-uri": "envvar:LOCAL_TESTING_KEY"
+    "x-tuf-on-ci-online-uri": "file2:online-test-key"
    }
   },
   "roles": {