d9f7b922d0
The main change is previously we always instantiated a TUF client for the public good and GitHub Sigstore instances. Now we only instantiate the TUF client we need, or no client if we are provided a custom trusted root. Note that `gh attestation verify` still requires authentication, that is being addressed in https://github.com/cli/cli/pull/8995. Some other changes are coming along for the ride: - Set TUF cache validity to 1 day, to help serial verification - Attempt to infer verification policy based on custom trusted root - Make command output more friendly if you leave off required arguments Signed-off-by: Zach Steindler <steiza@github.com>
44 lines
1.1 KiB
Go
44 lines
1.1 KiB
Go
package verification
|
|
|
|
import (
|
|
_ "embed"
|
|
"os"
|
|
"path/filepath"
|
|
|
|
"github.com/cli/go-gh/v2/pkg/config"
|
|
"github.com/sigstore/sigstore-go/pkg/tuf"
|
|
)
|
|
|
|
//go:embed embed/tuf-repo.github.com/root.json
|
|
var githubRoot []byte
|
|
|
|
const GitHubTUFMirror = "https://tuf-repo.github.com"
|
|
|
|
func DefaultOptionsWithCacheSetting() *tuf.Options {
|
|
opts := tuf.DefaultOptions()
|
|
|
|
// The CODESPACES environment variable will be set to true in a Codespaces workspace
|
|
if os.Getenv("CODESPACES") == "true" {
|
|
// if the tool is being used in a Codespace, disable the local cache
|
|
// because there is a permissions issue preventing the tuf library
|
|
// from writing the Sigstore cache to the home directory
|
|
opts.DisableLocalCache = true
|
|
}
|
|
|
|
// Set the cache path to a directory owned by the CLI
|
|
opts.CachePath = filepath.Join(config.CacheDir(), ".sigstore", "root")
|
|
|
|
// Allow TUF cache for 1 day
|
|
opts.CacheValidity = 1
|
|
|
|
return opts
|
|
}
|
|
|
|
func GitHubTUFOptions() *tuf.Options {
|
|
opts := DefaultOptionsWithCacheSetting()
|
|
|
|
opts.Root = githubRoot
|
|
opts.RepositoryBaseURL = GitHubTUFMirror
|
|
|
|
return opts
|
|
}
|