Upgrade to TUF v2 client

[cmurphy]

Use sigstore-go's TUF client to fetch the trusted_root.json from the TUF
mirror, if available. Where possible, use sigstore-go's verifiers which
natively accept the trusted root as its trusted material. Where there is
no trusted root available in TUF or sigstore-go doesn't support a use
case, fall back to the sigstore/sigstore TUF v1 client and the existing
verifiers in cosign.

TODO:

• unit tests
• e2e tests - waiting for Add the ability to contruct TrustRoot from targets sigstore-go#247 to be merged and percolated into the scaffolding action

Fixes #3548

Summary

Release Note

Documentation

[cmurphy]

There is still work to do here but I will be out for a couple of weeks so it might be worth getting some eyes on in the meantime.

[codecov]

Codecov Report

Attention: Patch coverage is 22.28261% with 286 lines in your changes missing coverage. Please review.

Project coverage is 36.30%. Comparing base (2ef6022) to head (bbe5f24).
Report is 345 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/cosign/tuf.go	0.00%	66 Missing ⚠️
pkg/cosign/verify.go	22.35%	57 Missing and 9 partials ⚠️
cmd/cosign/cli/verify/verify_attestation.go	0.00%	33 Missing ⚠️
cmd/cosign/cli/verify/verify.go	0.00%	32 Missing ⚠️
...cosign/cli/fulcio/fulcioverifier/fulcioverifier.go	0.00%	17 Missing and 1 partial ⚠️
cmd/cosign/cli/sign/sign.go	28.57%	15 Missing ⚠️
pkg/cosign/tlog.go	12.50%	13 Missing and 1 partial ⚠️
cmd/cosign/cli/initialize/init.go	66.66%	6 Missing and 4 partials ⚠️
cmd/cosign/cli/verify/verify_blob_attestation.go	65.21%	4 Missing and 4 partials ⚠️
cmd/cosign/cli/verify/verify_blob.go	69.56%	4 Missing and 3 partials ⚠️
... and 4 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3844      +/-   ##
==========================================
- Coverage   40.10%   36.30%   -3.80%     
==========================================
  Files         155      211      +56     
  Lines       10044    14004    +3960     
==========================================
+ Hits         4028     5084    +1056     
- Misses       5530     8273    +2743     
- Partials      486      647     +161     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jku]

There is still work to do here but I will be out for a couple of weeks so it might be worth getting some eyes on in the meantime.

sorry, I missed this at the time: I will have a look today or monday

[jku]

Sigstore-go provides a way to check for a trusted root and automatically use it if available, but can also fetch individual targets as needed if the provided TUF mirror does not supply a trusted_root.json.

Can you specify what cosign does with sigstore-go? I can see there are some invidual target fetches in the code but does cosign now use trusted_root.json by default?

[cmurphy]

Can you specify what cosign does with sigstore-go?

Cosign uses sigstore-go piecemeal for various things, but the goal of this PR is to adopt sigstore-go's TUF client wrapper instead of the client wrapper provided by sigstore/sigstore.

does cosign now use trusted_root.json by default?

It does not, that's part of the purpose of this PR and #3548. There is another PR in progress #3854 that adds a --trusted-root flag that I will have to adjust this PR to conform with.

sorry, I missed this at the time: I will have a look today or monday

I may now have to wait for that other PR to be fleshed out before I can make active progress on this, so don't feel rushed to review this. I can ping you again when it's in a more stable state.

[codysoyland]

I wonder if these filenames should be configurable somewhere for private Sigstore TUF operators. The existing metadata format allows for additional targets to be added and discovered, but TUF v2 does not allow iterating over targets, so that strategy is unsupported, meaning this current diff does not necessarily support all private TUF deployments.

We could also provide a CLI utility to convert an old TUF v1 layout to a trusted_root.json and require private TUF maintainers to use it to generate a trusted root in order to support the next version of cosign. I kind of like this option as it fast tracks the adoption of the trusted root.

[cmurphy]

I wonder if these filenames should be configurable somewhere for private Sigstore TUF operators

These filenames are hardcoded in the TUF v1 code so recreating them here was an attempt to align with the old way of retrieving targets.

The existing metadata format allows for additional targets to be added and discovered, but TUF v2 does not allow iterating over targets, so that strategy is unsupported, meaning this current diff does not necessarily support all private TUF deployments.

You're right, that was an oversight on my part. I had an earlier version of this that could support discovering targets from custom metadata that I will restore.

We could also provide a CLI utility to convert an old TUF v1 layout to a trusted_root.json

We could do that as a last resort, but my hope was to maintain full backwards compatibility and ease users gently toward using trusted_root.json.

[codysoyland]

The validity period in the TrustedRoot should be compared to the timestamp provided by the timestamping service or transparency log. I understand this is not something that is known at the time that you are assembling the CheckOpts, and that makes this a hard problem, but I'm not sure we want to enforce this in this version of the code. I believe we still want to be able to verify a signature produced prior to a timestamping service's validity end date, even if the current time is after that date.

[cmurphy]

My goal here was to have something to substitute for the Active/Expired status from TUF v1 that does not seem to have an equivalent in TUF v2. Open to discarding this entirely or finding an alternative.

[haydentherapper]

For what it's worth, I don't think Cosign is effectively using Active/Expired now, as Cosign is only printing a message to stdout if you are verifying an entry with an "expired" key. This isn't really helpful to the user because there's nothing wrong with using an expired key, it's if the key is used to verify something outside of its validity window, which isn't currently implemented in Cosign.

If it'd be easier to just not deal with Active/Expired, I'd be supportive of that. We can either rely on sigstore-go down the line to do that check, or we can file an issue to implement that feature in Cosign's verification API when using the trusted root file. I'd lean towards the latter in line with #3879.

[cmurphy]

@steiza , @codysoyland , @haydentherapper and I met to discuss a path forward on this and we decided to shrink the scope of this PR by removing the fetch of trusted_root.json, to be addressed separately.

This PR dropped the fetch of trusted_root.json, but it now fails conformance tests because the SCT returned during signing from p-g-i is signed by the ctfe_2022.pub key, which the sigstore-go TUF client has no way to know about. This worked fine with p-g-i when trusted_root.json was considered, but shows that this approach will break any deployment that has rotated keys relying on custom metadata. I'm starting to think that using the new client must also be synchronized with using trusted_root.json and that the whole thing should be guarded by a flag that users can opt into. Thoughts?

[steiza]

but shows that this approach will break any deployment that has rotated keys relying on custom metadata

Oof, what a mess we've made for ourselves. Yeah, this is what makes the cosign modernization effort we're working on so tricky.

I'm starting to think that using the new client must also be synchronized with using trusted_root.json and that the whole thing should be guarded by a flag that users can opt into.

This is what I'm thinking as well. #3854 could be updated to use CheckOpts as @codysoyland described in #3879. Then for those commands that support --trusted-root could also add something like --tuf-url + --tuf-root that would fetch the trusted_root.json for you, instead of having to supply it with --trusted-root.

[cmurphy]

The latest change adds back the root.NewLiveTrustedRoot TUF fetch, now guarded by environment variables so the user can opt in. Using environment variables seems to be pretty common in cosign and it makes it so all the TUF logic is concentrated in the pkg/cosign package and we don't have to plumb through command line flags. It doesn't add a TrustedMaterial field to CheckOpts because it's not needed with this approach, the TUF functions work mostly the same as they did before. This could still work with #3854 where that PR would allow explicitly providing a trusted_root.json file instead of relying on either TUF client. I'd be happy to chat more about this on a call.

[steiza]

I think we're still at odds a bit in terms of approach (but it's also possible I'm missing something!)

Ultimately, we have to decide what verification path we use in different scenarios, sigstore-go or pkg/cosign/verify.

Here's my understanding of the current state of things (which we can of course change):

Scenario	Verification Path
Verifying with a new protocol buffer bundle (which requires a trusted root)	sigstore-go (landed in #3796)
Verifying disparate signed materials or an old bundle with a trusted root	sigstore-go (proposed in #3854)
Verifying anything with TUF v2	pkg/cosign/verify (proposed here in #3844)
Verifying anything with TUF v2	sigstore-go (suggested by @steiza - fetch the trusted root and then use proposed code in #3854)

It is certainly possible to use pkg/cosign/verify here with TUF v2, but I think our current tests are missing the case where there are several sets of verification material and today pkg/cosign/verify picks one to use instead of checking all of them, including at least SCT verification, VerifySet, and TSA verification that I listed out on #3854 (comment).

We could make this pull request address those cases. But ultimately, we need #3844 and #3854 to agree on what the verification path should be when you're using TUF v2 - sigstore-go or pkg/cosign/verify.

[steiza]

I was confused again this morning, and worried I lumped together too many use-cases, so I made a more detailed table:

Signed materials	Verification materials	Verification materials provided by	Verification Path
Protocol buffer bundle	requires trusted root	trusted root file on disk	sigstore-go (landed in #3796)
Protocol buffer bundle	requires trusted root	TUFv1	N/A - we require a trusted root, which TUFv1 does not provide
Protocol buffer bundle	requires trusted root	TUFv2	sigstore-go (suggested by @steiza - fetch the trusted root and then use code landed in #3796)
Not protocol buffer bundle	trusted root	trusted root file on disk	sigstore-go (proposed in #3854)
Not protocol buffer bundle	trusted root	TUFv1	N/A - TUFv1 does not supply a trusted root, see "not trusted root" below
Not protocol buffer bundle	trusted root	TUFv2	pkg/cosign/verify (proposed here in #3844) or row below
Not protocol buffer bundle	trusted root	TUFv2	sigstore-go (suggested by @steiza - fetch the trusted root and then use proposed code in #3854) or row above
Not protocol buffer bundle	not trusted root (e.g. disparate material via flags or ENV vars)	TUFv1	pkg/cosign/verify (already implemented)
Not protocol buffer bundle	not trusted root (e.g. disparate material via flags or ENV vars)	TUFv2	This doesn't make sense - if you're using TUFv2 you're going to have a trusted root

I think I ended up in the same place though.

In the case where we don't have a new protocol buffer bundle, and we have a trusted root that we fetched with TUFv2, we need to decide if the verification path is going to be:

• pkg/cosign/verify (in which case we need to audit and improve that verification path to handle the lists of possible verification material the trusted root provides) or
• sigstore-go where we've already implemented that functionality (which means modifying commands individually)

[jku]

thanks for writing that up zach, I'm trying to catch up and this is useful

[cmurphy]

@steiza thanks for the summary, I have a couple of minor clarifying questions:

This doesn't make sense - if you're using TUFv2 you're going to have a trusted root

Do you mean ideally, or currently? Using the TUF v2 client doesn't guarantee you've created a trusted_root.json and added it to your TUF repository.

pkg/cosign/verify (proposed here in #3844) or row below

Technically this PR does very little in pkg/cosign/verify.go. The scope of the TUF change also needs to include getting keys for the CT server which are needed during signing.

[jku]

if new environment variables TUF_MIRROR, TUF_ROOT_JSON or
TUF_USE_TRUSTED_ROOT are set, use those to instantiate a TUF v2 client.

How do we expect these to get set? By end users?

It feels wrong if users need to set an environment variable to make the software use the recommended trust root mechanism.

[steiza]

Do you mean ideally, or currently? Using the TUF v2 client doesn't guarantee you've created a trusted_root.json and added it to your TUF repository.

Aha, I think I finally understand our different perspectives! I thought that when we use a TUF v2 client we were only going to fetch the trusted_root.json and not fetch individual files over TUF like ctfe.pub - but maybe that's that not the case? The way #3548 is worded made me think that we're doing the TUF v2 client upgrade and moving to using trusted_root.json at the same time.

If we are allowing fetching files like ctfe.pub over TUF v2, then I agree that we should use the contents of those files with the existing pkg/cosign/verify verification path (or signing, like you linked).

But if we're fetching trusted_root.json over TUF v2, that's when we need to decide if we're going to use sigstore-go or if we're going to make additional changes to pkg/cosign/verify in this pull request. The trusted root provides lists of possible verification material, which the pkg/cosign/verify was not originally written to handle.

For example, we verify the certificate with intermediateCerts *x509.CertPool that includes all the intermediate certs listed in the trusted root (great), but we always pick the first chain to verify the SCT (not great). I listed out two other similar cases on #3854 (comment), but I haven't done a close audit of pkg/cosign/verify either.

[cmurphy]

Addressed comments, added unit tests mainly for initialize and for the fulcio verifier which has the tricky detached SCT handling, added an e2e test that uses trusted_root.json, and fixed several issues uncovered through tests. Marking this ready for review because I think this is close to the final product, but I still need to debug the conformance and attestation tests which may introduce small changes, and I may not be able to get back to this for a bit.

[cmurphy]

Unable to reproduce the conformance test issue because of a different python issue, also appearing here https://github.com/sigstore/cosign/actions/runs/12717693057/job/35454646340?pr=4006

[jku]

Unable to reproduce the conformance test issue because of a different python issue, also appearing here https://github.com/sigstore/cosign/actions/runs/12717693057/job/35454646340?pr=4006

I believe I have a fix: sigstore/sigstore-conformance#179
will try to remember to update here when it's released

[haydentherapper]

Conformance fix is now merged.

[haydentherapper]

Just need to rebase past #4011

[bkabrda]

Hi folks, thank you all for all your hard work on this, this is awesome.

I gave this PR a test with the private Sigstore instances that I'm working on and I ran into one problem: We're using RSA PSS keys to sign our TUF metadata and it seems that go-tuf v2 only got a support for these recently in theupdateframework/go-tuf#625 - would it be possible to upgrade to a version of go-tuf that includes this PR? I'd be happy to help doing the updates once a new version of go-tuf is released, but not sure if/when that's going to happen.

Edit: one thing that would be really useful to help debugging this kind of issues is if there was a (debug) message saying that the trusted_root.json was in fact found, but failed to be parsed (and why). Right now, the warning message emitted only seems to suggest that the file is not present at all:

WARNING: Could not find trusted_root.json in TUF mirror, falling back to individual targets. It is recommended to update your TUF metadata repository to include trusted_root.json.

[jku]

would it be possible to upgrade to a version of go-tuf that includes this PR?

Almost certainly: go-tuf just needs to make that release.

one thing that would be really useful to help debugging this kind of issues is if there was a (debug) message saying that the trusted_root.json was in fact found, but failed to be parsed (and why).

it sounds like the failure is that go-tuf considers the repository invalid so it never even got to downloading trusted_root.json (trusted_root.json is the artifact that cosign is trying to download using TUF, it just happens to be similar in name as the TUF metadata file that contains the "invalid" key): I'm sure the cosign error message could be improved though

[bkabrda]

it sounds like the failure is that go-tuf considers the repository invalid so it never even got to downloading trusted_root.json

This does happen if the repository is considered invalid, but it also happens when trusted_root.json is invalid (in our case we had some issues in how we serialized keyBytes for some targets). Either way including a debugging message that shows the underlying error would cover both cases, so I believe that's the best way to go.

[cmurphy]

Done:

• Made several fixes for bugs that the conformance tests caught and updated the e2e tests to avoid certain bugs slipping through
• Updated the warning message to pass through the error from TUF
• Rebased and fixed errors that arose from conflicts with Cody's latest change

Blocked:

• TUF trusted_root.json generated for scaffolding action is invalid scaffolding#1459
• URLToPath is not Windows-safe sigstore-go#407