WIP: Update to new securesystemslib API #2617
Merged
+236
−317
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment was marked as outdated.
This comment was marked as outdated.
|
rebase on main |
Pull Request Test Coverage Report for Build 8936840461Warning: This coverage report may be inaccurate.This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.
Details
💛 - Coveralls |
* API changes covered: * keys and interface modules removed * SSlibSigner removed * CryptoSigner added: this replaces the removed functionality * DSSE "signatures" container type changed * Currently pins a securesystemslib main branch commit: this shoudl be reverted before merging, when securesystemslib has made a release * tests/generated_data/generate_md.py was simplified * Encrypted test keys in tests/repository_data/keystore were replaced with the unencrypted PEM versions of the same keys * The public test keys in tests/repository_data/keystore were removed as they were not used anymore Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
private_bytes was just added to CryptoSigner, use it. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
|
I suppose this is now ready for review 🤷 |
lukpueh
added a commit
to lukpueh/repository-service-tuf-worker
that referenced
this pull request
May 2, 2024
* Update securesystemslib 1.0.0 in requirements*.txt files -> requires pinning a dev version of tuf TODO: - adopt in Pipfile - update tuf when theupdateframework/python-tuf#2617 is released * Remove local keyvault service, which makes heavy use of legacy securesystemslib interfaces removed in 1.0.0. TODO: - adopt in docs, config, etc - consider removing obsolete IKeyVault * Remove keyvault initialisation in MetadatRepository, which (I think) would try to load local key vault otherwise * Adopt removal in tests, just enough, so that they pass. TODO: - check if the tests still make sense * Drop registration of CryptoSigner and use its new uri scheme "file2" in SignerStore. "file2" can be used like "file", but only for non-encrypted key files, which is all we care for in the worker. "file2" can also be used like "fn" from the custom "FileNameSigner", i.e. with a directory specified via envvar. TODO: - consider only using "file2" and dropping the custom "FileNameSigner" (or only using it to ovverride the scheme name and the envvar name. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
lukpueh
approved these changes
May 3, 2024
There was a problem hiding this comment.
Looks good. There's one mention of SSlibSigner left in a docstring. I can remove it.
python-tuf/tuf/api/metadata.py
Line 356 in 38f309b
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
lukpueh
added a commit
to lukpueh/repository-service-tuf-worker
that referenced
this pull request
May 3, 2024
* Update securesystemslib 1.0.0 in requirements*.txt files -> requires pinning a dev version of tuf TODO: - adopt in Pipfile (I tried, but `pipenv lock` was taking way too long for my taste) - update tuf when theupdateframework/python-tuf#2617 is released * Remove local keyvault service, which makes heavy use of legacy securesystemslib interfaces, which are no longer available in 1.0.0. TODO: - adopt in docs, config, etc - consider removing obsolete IKeyVault * Remove keyvault initialisation in MetadatRepository, which would try to load local key vault in tests, given the current configs (see TODO above) * Adopt removal in tests, just enough, so that they pass. TODO: - check if the tests still make sense * Drop registration of CryptoSigner and use its new uri scheme "file2" in SignerStore. "file2" can be used like "file", but only for non-encrypted key files, which is all we care for in the worker. "file2" can also be used like "fn" from the custom "FileNameSigner", i.e. with a directory specified via envvar. TODO: - consider only using "file2" and dropping the custom "FileNameSigner" (or only using it to ovverride the scheme name and the envvar name) Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
6 tasks
kairoaraujo
pushed a commit
to lukpueh/repository-service-tuf-worker
that referenced
this pull request
Jul 25, 2024
* Update securesystemslib 1.0.0 in requirements*.txt files -> requires pinning a dev version of tuf TODO: - adopt in Pipfile (I tried, but `pipenv lock` was taking way too long for my taste) - update tuf when theupdateframework/python-tuf#2617 is released * Remove local keyvault service, which makes heavy use of legacy securesystemslib interfaces, which are no longer available in 1.0.0. TODO: - adopt in docs, config, etc - consider removing obsolete IKeyVault * Remove keyvault initialisation in MetadatRepository, which would try to load local key vault in tests, given the current configs (see TODO above) * Adopt removal in tests, just enough, so that they pass. TODO: - check if the tests still make sense * Drop registration of CryptoSigner and use its new uri scheme "file2" in SignerStore. "file2" can be used like "file", but only for non-encrypted key files, which is all we care for in the worker. "file2" can also be used like "fn" from the custom "FileNameSigner", i.e. with a directory specified via envvar. TODO: - consider only using "file2" and dropping the custom "FileNameSigner" (or only using it to ovverride the scheme name and the envvar name) Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
MVrachev
pushed a commit
to repository-service-tuf/repository-service-tuf-worker
that referenced
this pull request
Jul 26, 2024
* Update securesystemslib 1.0.0 (WIP) * Update securesystemslib 1.0.0 in requirements*.txt files -> requires pinning a dev version of tuf TODO: - adopt in Pipfile (I tried, but `pipenv lock` was taking way too long for my taste) - update tuf when theupdateframework/python-tuf#2617 is released * Remove local keyvault service, which makes heavy use of legacy securesystemslib interfaces, which are no longer available in 1.0.0. TODO: - adopt in docs, config, etc - consider removing obsolete IKeyVault * Remove keyvault initialisation in MetadatRepository, which would try to load local key vault in tests, given the current configs (see TODO above) * Adopt removal in tests, just enough, so that they pass. TODO: - check if the tests still make sense * Drop registration of CryptoSigner and use its new uri scheme "file2" in SignerStore. "file2" can be used like "file", but only for non-encrypted key files, which is all we care for in the worker. "file2" can also be used like "fn" from the custom "FileNameSigner", i.e. with a directory specified via envvar. TODO: - consider only using "file2" and dropping the custom "FileNameSigner" (or only using it to ovverride the scheme name and the envvar name) Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * chore: dependencies and ci/cd Signed-off-by: Kairo Araujo <kairo.araujo@testifysec.com> * fixup! Update securesystemslib 1.0.0 (WIP) Signed-off-by: Kairo Araujo <kairo.araujo@testifysec.com> * docs: update related docs about IKeyVault removal Signed-off-by: Kairo Araujo <kairo.araujo@testifysec.com> * fixup! fixup! Update securesystemslib 1.0.0 (WIP) * fix: update the dependencies, including securesystemslib Signed-off-by: Kairo Araujo <kairo.araujo@testifysec.com> --------- Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> Signed-off-by: Kairo Araujo <kairo.araujo@testifysec.com> Co-authored-by: Kairo Araujo <kairo.araujo@testifysec.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update to new (currently unreleased) securesystemslib API
this should be reverted before merging, when securesystemslib
has made a release
with the unencrypted PEM versions of the same keys
as they were not used anymore
It's a bit annoyingly in a single commit... but I was working on this fixing one test failure at a time: reasonable commits were not really an option during the work. Anyway, I think this proves the securesystemslib API changes are solid enough.
TODO: