diff --git a/Makefile b/Makefile index b95a679f..b8167755 100644 --- a/Makefile +++ b/Makefile @@ -178,4 +178,14 @@ update-embedded-root: $(VENV)/pyvenv.cfg cp ~/.local/share/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/root.json \ sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/root.json cp ~/.cache/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/trusted_root.json \ - sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/trusted_root.json + ~/.cache/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/signing_config.v0.2.json \ + sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/ + +update-embedded-root-staging: $(VENV)/pyvenv.cfg + . $(VENV_BIN)/activate && \ + python -m sigstore plumbing update-trust-root + cp ~/.local/share/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/root.json \ + sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/root.json + cp ~/.cache/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/trusted_root.json \ + ~/.cache/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/signing_config.v0.2.json \ + sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/ diff --git a/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/root.json b/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/root.json index 9206f75b..18f98c64 100644 --- a/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/root.json +++ b/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/root.json @@ -2,11 +2,11 @@ "signatures": [ { "keyid": "aa61e09f6af7662ac686cf0c6364079f63d3e7a86836684eeced93eace3acd81", - "sig": "3044022064ac6af7f922e3bc8ac095d1fb59c5e65b52c8b378d3777b9223fc63b65c1f05022022a3722f464b3cfb985cdd76b76790533c5ac81613dade8f3a1136d4473dc466" + "sig": "3046022100fe72afdbab1bef70c6f461f39f5e75cf543e5277648bfab798a108a0f76f0ca002210098e1e1804b7a13bab42c063691864d85fc4bf6f5a875346b388be00f139c6118" }, { "keyid": "61f9609d2655b346fcebccd66b509d5828168d5e447110e261f0bcc8553624bc", - "sig": "3046022100ef742d08c803a87e4eabbefbad528e40bdbe7aa9dcdcdcc024aa256315c8bcf202210089e444aebb431f743fad85cecbb16a3cfd62b624dbd37a9bfdce21135659bd8b" + "sig": "304502210094423ead9a7d546d703f649b408441688eb30f3279fb065b28eea05d2b36843102206f21fa2888836485964c7cb7468a16ddb6297784c50cdba03888578d7b46e0c7" }, { "keyid": "9471fbda95411d10109e467ad526082d15f14a38de54ea2ada9687ab39d8e237", @@ -20,7 +20,7 @@ "signed": { "_type": "root", "consistent_snapshot": true, - "expires": "2025-08-01T13:24:50Z", + "expires": "2025-12-26T13:27:03Z", "keys": { "0374a9e18a20a2103736cb4277e2fdd7f8453642c7d9eaf4ad8aee9cf2d47bb5": { "keytype": "ecdsa", @@ -100,7 +100,7 @@ } }, "spec_version": "1.0", - "version": 11, + "version": 12, "x-tuf-on-ci-expiry-period": 182, "x-tuf-on-ci-signing-period": 35 } diff --git a/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/signing_config.v0.2.json b/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/signing_config.v0.2.json index 62629a3c..66ef68cf 100644 --- a/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/signing_config.v0.2.json +++ b/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/signing_config.v0.2.json @@ -21,6 +21,23 @@ } ], "rekorTlogUrls": [ + { + "url": "https://log2025-alpha2.rekor.sigstage.dev", + "majorApiVersion": 2, + "validFor": { + "start": "2025-08-20T07:24:08Z" + }, + "operator": "sigstore.dev" + }, + { + "url": "https://log2025-alpha1.rekor.sigstage.dev", + "majorApiVersion": 2, + "validFor": { + "start": "2025-05-07T12:00:00Z", + "end": "2025-08-20T07:24:08Z" + }, + "operator": "sigstore.dev" + }, { "url": "https://rekor.sigstage.dev", "majorApiVersion": 1, diff --git a/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/trusted_root.json b/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/trusted_root.json index 8691ef5d..c632586e 100644 --- a/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/trusted_root.json +++ b/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstage.dev/trusted_root.json @@ -14,6 +14,35 @@ "logId": { "keyId": "0y8wo8MtY5wrdiIFohx7sHeI5oKDpK5vQhGHI6G+pJY=" } + }, + { + "baseUrl": "https://log2025-alpha1.rekor.sigstage.dev", + "hashAlgorithm": "SHA2_256", + "publicKey": { + "rawBytes": "MCowBQYDK2VwAyEAPn+AREHoBaZ7wgS1zBqpxmLSGnyhxXj4lFxSdWVB8o8=", + "keyDetails": "PKIX_ED25519", + "validFor": { + "start": "2025-04-16T00:00:00Z", + "end": "2025-09-04T00:00:00Z" + } + }, + "logId": { + "keyId": "8w1amZ2S5mJIQkQmPxdMuOrL/oJkvFg9MnQXmeOCXck=" + } + }, + { + "baseUrl": "https://log2025-alpha2.rekor.sigstage.dev", + "hashAlgorithm": "SHA2_256", + "publicKey": { + "rawBytes": "MCowBQYDK2VwAyEAkrA8Ou2FtN7kYXCP/lpvF8vQrvh4nj+91+PWOGGzfGc=", + "keyDetails": "PKIX_ED25519", + "validFor": { + "start": "2025-08-08T00:00:00Z" + } + }, + "logId": { + "keyId": "KfSiSX2iRLyhK62SUVL47vVcqqRx/RAewpKJm8IdZTo=" + } } ], "certificateAuthorities": [ diff --git a/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/root.json b/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/root.json index 2a373bd6..a50bcb23 100644 --- a/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/root.json +++ b/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/root.json @@ -6,25 +6,29 @@ }, { "keyid": "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", - "sig": "3045022100b0bcf189ce1b93e7db9649d5be512a1880c0e358870e3933e426c5afb8a4061002206d214bd79b09f458ccc521a290aa960c417014fc16e606f82091b5e31814886a" + "sig": "3045022100bbddd464f8066ceb88ba787375c12cd6330680e08c2910703e6538c71cc79ad202205190b06e4537fe961b3ef81fe68edcd0089c19f919afed423b9aafd700641153" }, { "keyid": "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", - "sig": "" + "sig": "3044022069306cd5257f732a740c1afe60a8e433c5de58eafeadbe99c336c9c71d198cf802200d773953ae7dbc48d3e5bad9a6f64bafff196b7e2ad4a52a19519367d47dc042" }, { "keyid": "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", - "sig": "3045022100a9b9e294ec21b62dfca6a16a19d084182c12572e33d9c4dcab5317fa1e8a459d022069f68e55ea1f95c5a367aac7a61a65757f93da5a006a5f4d1cf995be812d7602" + "sig": "304402204d21a2ec80df66e61f6fe2912951dc47df836036f8c0ab10816d375e71dbf79e0220547adce1afdf04e6794efa203dd5264c6f7e0ef78e57fe934b0d26cb994eec76" }, { "keyid": "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", - "sig": "30440220781178ec3915cb16aca757d40e28435ac5378d6b487acb111d1eeb339397f79a0220781cce48ae46f9e47b97a8414fcf466a986726a5896c72a0e4aba3162cb826dd" + "sig": "3045022060826496557144eb1649893ed5f6f4ea54536feb0ca82f8b89ae641be39743e5022100ad7118b5e9d4837326206e412fc6da2999925d110328a7c166b06c624336c93f" + }, + { + "keyid": "183e64f37670dc13ca0d28995a3053f3740954ddce44321a41e46534cf44e632", + "sig": "3046022100d8179439c2e73eb0c1733abee7faf832dcaea7263edcb4919891c3a247f05923022100e1a437e0797e803f9b72dc9d2d92155b0a2270c24efdd5f4b3a5d8f0b0f431a7" } ], "signed": { "_type": "root", "consistent_snapshot": true, - "expires": "2025-08-19T14:33:09Z", + "expires": "2026-01-22T13:05:59Z", "keys": { "0c87432c3bf09fd99189fdc32fa5eaedf4e4a5fac7bab73fa04a2e0fc64af6f5": { "keyid_hash_algorithms": [ @@ -38,6 +42,14 @@ "scheme": "ecdsa-sha2-nistp256", "x-tuf-on-ci-online-uri": "gcpkms:projects/sigstore-root-signing/locations/global/keyRings/root/cryptoKeys/timestamp/cryptoKeyVersions/1" }, + "183e64f37670dc13ca0d28995a3053f3740954ddce44321a41e46534cf44e632": { + "keytype": "ecdsa", + "keyval": { + "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMxpPOJCIZ5otG4106fGJseEQi3V9\npkMYQ4uyV9Tj1M7WHXIyLG+jkfvuG0glQ1JZbRZZBV3gAR4sojdGHISeow==\n-----END PUBLIC KEY-----\n" + }, + "scheme": "ecdsa-sha2-nistp256", + "x-tuf-on-ci-keyowner": "@lance" + }, "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06": { "keyid_hash_algorithms": [ "sha256", @@ -62,18 +74,6 @@ "scheme": "ecdsa-sha2-nistp256", "x-tuf-on-ci-keyowner": "@bobcallaway" }, - "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3": { - "keyid_hash_algorithms": [ - "sha256", - "sha512" - ], - "keytype": "ecdsa", - "keyval": { - "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n" - }, - "scheme": "ecdsa-sha2-nistp256", - "x-tuf-on-ci-keyowner": "@dlorenc" - }, "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70": { "keyid_hash_algorithms": [ "sha256", @@ -102,11 +102,11 @@ "roles": { "root": { "keyids": [ - "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", - "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70" + "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", + "183e64f37670dc13ca0d28995a3053f3740954ddce44321a41e46534cf44e632" ], "threshold": 3 }, @@ -120,11 +120,11 @@ }, "targets": { "keyids": [ - "6f260089d5923daf20166ca657c543af618346ab971884a99962b01988bbe0c3", "e71a54d543835ba86adad9460379c7641fb8726d164ea766801a1c522aba7ea2", "22f4caec6d8e6f9555af66b3d4c3cb06a3bb23fdc7e39c916c61f462e6f52b06", "61643838125b440b40db6942f5cb5a31c0dc04368316eb2aaa58b95904a58222", - "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70" + "a687e5bf4fab82b0ee58d46e05c9535145a2c9afb458f43d42b45ca0fdce2a70", + "183e64f37670dc13ca0d28995a3053f3740954ddce44321a41e46534cf44e632" ], "threshold": 3 }, @@ -138,7 +138,7 @@ } }, "spec_version": "1.0", - "version": 12, + "version": 13, "x-tuf-on-ci-expiry-period": 197, "x-tuf-on-ci-signing-period": 46 } diff --git a/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/trusted_root.json b/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/trusted_root.json index b8706cb3..1c492627 100644 --- a/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/trusted_root.json +++ b/sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/trusted_root.json @@ -8,7 +8,7 @@ "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwrkBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw==", "keyDetails": "PKIX_ECDSA_P256_SHA_256", "validFor": { - "start": "2021-01-12T11:53:27.000Z" + "start": "2021-01-12T11:53:27Z" } }, "logId": { @@ -31,7 +31,7 @@ ] }, "validFor": { - "start": "2021-03-07T03:20:29.000Z", + "start": "2021-03-07T03:20:29Z", "end": "2022-12-31T23:59:59.999Z" } }, @@ -52,7 +52,7 @@ ] }, "validFor": { - "start": "2022-04-13T20:06:15.000Z" + "start": "2022-04-13T20:06:15Z" } } ], @@ -64,7 +64,7 @@ "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbfwR+RJudXscgRBRpKX1XFDy3PyudDxz/SfnRi1fT8ekpfBd2O1uoz7jr3Z8nKzxA69EUQ+eFCFI3zeubPWU7w==", "keyDetails": "PKIX_ECDSA_P256_SHA_256", "validFor": { - "start": "2021-03-14T00:00:00.000Z", + "start": "2021-03-14T00:00:00Z", "end": "2022-10-31T23:59:59.999Z" } }, @@ -79,12 +79,34 @@ "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiPSlFi0CmFTfEjCUqF9HuCEcYXNKAaYalIJmBZ8yyezPjTqhxrKBpMnaocVtLJBI1eM3uXnQzQGAJdJ4gs9Fyw==", "keyDetails": "PKIX_ECDSA_P256_SHA_256", "validFor": { - "start": "2022-10-20T00:00:00.000Z" + "start": "2022-10-20T00:00:00Z" } }, "logId": { "keyId": "3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4=" } } + ], + "timestampAuthorities": [ + { + "subject": { + "organization": "sigstore.dev", + "commonName": "sigstore-tsa-selfsigned" + }, + "uri": "https://timestamp.sigstore.dev/api/v1/timestamp", + "certChain": { + "certificates": [ + { + "rawBytes": "MIICEDCCAZagAwIBAgIUOhNULwyQYe68wUMvy4qOiyojiwwwCgYIKoZIzj0EAwMwOTEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MSAwHgYDVQQDExdzaWdzdG9yZS10c2Etc2VsZnNpZ25lZDAeFw0yNTA0MDgwNjU5NDNaFw0zNTA0MDYwNjU5NDNaMC4xFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEVMBMGA1UEAxMMc2lnc3RvcmUtdHNhMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE4ra2Z8hKNig2T9kFjCAToGG30jky+WQv3BzL+mKvh1SKNR/UwuwsfNCg4sryoYAd8E6isovVA3M4aoNdm9QDi50Z8nTEyvqgfDPtTIwXItfiW/AFf1V7uwkbkAoj0xxco2owaDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFIn9eUOHz9BlRsMCRscsc1t9tOsDMB8GA1UdIwQYMBaAFJjsAe9/u1H/1JUeb4qImFMHic6/MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMAoGCCqGSM49BAMDA2gAMGUCMDtpsV/6KaO0qyF/UMsX2aSUXKQFdoGTptQGc0ftq1csulHPGG6dsmyMNd3JB+G3EQIxAOajvBcjpJmKb4Nv+2Taoj8Uc5+b6ih6FXCCKraSqupe07zqswMcXJTe1cExvHvvlw==" + }, + { + "rawBytes": "MIIB9zCCAXygAwIBAgIUV7f0GLDOoEzIh8LXSW80OJiUp14wCgYIKoZIzj0EAwMwOTEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MSAwHgYDVQQDExdzaWdzdG9yZS10c2Etc2VsZnNpZ25lZDAeFw0yNTA0MDgwNjU5NDNaFw0zNTA0MDYwNjU5NDNaMDkxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEgMB4GA1UEAxMXc2lnc3RvcmUtdHNhLXNlbGZzaWduZWQwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQUQNtfRT/ou3YATa6wB/kKTe70cfJwyRIBovMnt8RcJph/COE82uyS6FmppLLL1VBPGcPfpQPYJNXzWwi8icwhKQ6W/Qe2h3oebBb2FHpwNJDqo+TMaC/tdfkv/ElJB72jRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSY7AHvf7tR/9SVHm+KiJhTB4nOvzAKBggqhkjOPQQDAwNpADBmAjEAwGEGrfGZR1cen1R8/DTVMI943LssZmJRtDp/i7SfGHmGRP6gRbuj9vOK3b67Z0QQAjEAuT2H673LQEaHTcyQSZrkp4mX7WwkmF+sVbkYY5mXN+RMH13KUEHHOqASaemYWK/E" + } + ] + }, + "validFor": { + "start": "2025-07-04T00:00:00Z" + } + } ] } diff --git a/test/unit/internal/test_trust.py b/test/unit/internal/test_trust.py index 26b7278e..13123b38 100644 --- a/test/unit/internal/test_trust.py +++ b/test/unit/internal/test_trust.py @@ -17,8 +17,6 @@ from datetime import datetime, timedelta, timezone import pytest -from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat -from cryptography.x509 import load_pem_x509_certificate from sigstore_models.common.v1 import TimeRange from sigstore_models.trustroot.v1 import ( Service, @@ -38,7 +36,6 @@ TrustedRoot, _is_timerange_valid, ) -from sigstore._utils import load_pem_public_key from sigstore.errors import Error # Test data for TestSigningcconfig @@ -248,59 +245,6 @@ def test_bad_media_type(self, asset): # TODO(ww): Move these into appropriate class-scoped tests. -def test_trust_root_tuf_caches_and_requests(mock_staging_tuf, tuf_dirs): - # start with empty target cache, empty local metadata dir - data_dir, cache_dir = tuf_dirs - - # keep track of requests the TrustUpdater invoked by TrustedRoot makes - reqs, fail_reqs = mock_staging_tuf - - trust_config = ClientTrustConfig.staging() - # metadata was "downloaded" from staging - expected = [ - "root.json", - "root_history", - "snapshot.json", - "targets.json", - "timestamp.json", - ] - assert sorted(os.listdir(data_dir)) == expected - - # Expect requests of top-level metadata (and 404 for the next root version) - # Don't expect trusted_root.json request as it's cached already - expected_requests = { - "timestamp.json": 1, - "16.snapshot.json": 1, - "17.targets.json": 1, - "ed6a9cf4e7c2e3297a4b5974fce0d17132f03c63512029d7aa3a402b43acab49.trusted_root.json": 1, - } - expected_fail_reqs = {"12.root.json": 1} - assert reqs == expected_requests - assert fail_reqs == expected_fail_reqs - - trust_config.trusted_root.ct_keyring(KeyringPurpose.VERIFY) - trust_config.trusted_root.rekor_keyring(KeyringPurpose.VERIFY) - - # no new requests - assert reqs == expected_requests - assert fail_reqs == expected_fail_reqs - - # New trust root (and TrustUpdater instance), same cache dirs - trust_config = ClientTrustConfig.staging() - - # Expect new timestamp and root requests - expected_requests["timestamp.json"] += 1 - expected_fail_reqs["12.root.json"] += 1 - assert reqs == expected_requests - assert fail_reqs == expected_fail_reqs - - trust_config.trusted_root.ct_keyring(purpose=KeyringPurpose.VERIFY) - trust_config.trusted_root.rekor_keyring(purpose=KeyringPurpose.VERIFY) - # Expect no requests - assert reqs == expected_requests - assert fail_reqs == expected_fail_reqs - - def test_trust_root_tuf_offline(mock_staging_tuf, tuf_dirs): # start with empty target cache, empty local metadata dir data_dir, cache_dir = tuf_dirs @@ -352,105 +296,6 @@ def range_from(offset_lower=0, offset_upper=0): ) # Valid: 1 ago, 1 ago -def test_trust_root_bundled_get(monkeypatch, mock_staging_tuf, tuf_asset): - def get_public_bytes(keys): - assert len(keys) != 0 - return { - k.public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo) - for k in keys - } - - def _pem_keys(keys): - return get_public_bytes([load_pem_public_key(k) for k in keys]) - - ctfe_keys = _pem_keys( - [ - tuf_asset.target("ctfe_2022_2.pub"), - ] - ) - rekor_keys = _pem_keys([tuf_asset.target("rekor.pub")]) - fulcio_certs = [ - load_pem_x509_certificate(c) - for c in [ - tuf_asset.target("fulcio_intermediate.crt.pem"), - tuf_asset.target("fulcio.crt.pem"), - ] - ] - - # Assert that trust root from TUF contains the expected keys/certs - trust_root = ClientTrustConfig.staging().trusted_root - assert ctfe_keys.issubset( - get_public_bytes( - [ - k.key - for k in trust_root.ct_keyring( - purpose=KeyringPurpose.VERIFY - )._keyring.values() - ] - ) - ) - assert rekor_keys.issubset( - get_public_bytes( - [ - k.key - for k in trust_root.rekor_keyring( - purpose=KeyringPurpose.VERIFY - )._keyring.values() - ] - ) - ) - assert trust_root.get_fulcio_certs() == fulcio_certs - - # Assert that trust root from offline TUF contains the expected keys/certs - trust_root = ClientTrustConfig.staging(offline=True).trusted_root - assert ctfe_keys.issubset( - get_public_bytes( - [ - k.key - for k in trust_root.ct_keyring( - purpose=KeyringPurpose.VERIFY - )._keyring.values() - ] - ) - ) - assert rekor_keys.issubset( - get_public_bytes( - [ - k.key - for k in trust_root.rekor_keyring( - purpose=KeyringPurpose.VERIFY - )._keyring.values() - ] - ) - ) - assert trust_root.get_fulcio_certs() == fulcio_certs - - # Assert that trust root from file contains the expected keys/certs - path = tuf_asset.target_path("trusted_root.json") - trust_root = TrustedRoot.from_file(path) - assert ctfe_keys.issubset( - get_public_bytes( - [ - k.key - for k in trust_root.ct_keyring( - purpose=KeyringPurpose.VERIFY - )._keyring.values() - ] - ) - ) - assert rekor_keys.issubset( - get_public_bytes( - [ - k.key - for k in trust_root.rekor_keyring( - purpose=KeyringPurpose.VERIFY - )._keyring.values() - ] - ) - ) - assert trust_root.get_fulcio_certs() == fulcio_certs - - def test_trust_root_tuf_instance_error(): # Expect file not found since embedded root.json is not found and # no local metadata is found diff --git a/test/unit/verify/test_verifier.py b/test/unit/verify/test_verifier.py index 56871e9c..f03de96b 100644 --- a/test/unit/verify/test_verifier.py +++ b/test/unit/verify/test_verifier.py @@ -36,7 +36,8 @@ def test_verifier_production(): assert verifier is not None -def test_verifier_staging(mock_staging_tuf): +@pytest.mark.staging +def test_verifier_staging(): verifier = Verifier.staging() assert verifier is not None @@ -51,7 +52,7 @@ def test_verifier_one_verification(signing_materials, null_policy): @pytest.mark.staging -def test_verifier_inconsistent_log_entry(signing_bundle, null_policy, mock_staging_tuf): +def test_verifier_inconsistent_log_entry(signing_bundle, null_policy): (file, bundle) = signing_bundle("bundle_cve_2022_36056.txt") verifier = Verifier.staging()