@@ -199,11 +199,11 @@ def __init__(self, path_to_tuf_config_file):
199199 # we use the same consistent snapshot to download targets.
200200 self .__updater .refresh ()
201201
202- def __download_in_toto_metadata (self , updated_target ):
202+ def __download_in_toto_metadata (self , target ):
203203 # A list to collect where in-toto metadata targets live.
204204 target_relpaths = []
205205
206- fileinfo = updated_target .get ('fileinfo' )
206+ fileinfo = target .get ('fileinfo' )
207207
208208 if fileinfo :
209209 custom = fileinfo .get ('custom' )
@@ -302,10 +302,8 @@ def __verify_in_toto_metadata(self, target_relpath,
302302 finally :
303303 os .chdir (prev_cwd )
304304
305- def __download_and_verify_in_toto_metadata (self , updated_target ,
306- target_relpath ):
307- in_toto_metadata_relpaths = \
308- self .__download_in_toto_metadata (updated_target )
305+ def __download_and_verify_in_toto_metadata (self , target , target_relpath ):
306+ in_toto_metadata_relpaths = self .__download_in_toto_metadata (target )
309307
310308 if not len (in_toto_metadata_relpaths ):
311309 raise NoInTotoLinkMetadataFound (target_relpath )
@@ -336,29 +334,29 @@ def _get_target(self, target_relpath, download_in_toto_metadata=True):
336334 # First, we use TUF to download and verify the target.
337335 assert len (updated_targets ) == 1
338336 updated_target = updated_targets [0 ]
337+ assert updated_target == target
339338 self .__updater .download_target (updated_target , self .__targets_dir )
340339
341- # Next, we use in-toto to verify the supply chain of the target.
342- # NOTE: We use a flag to avoid recursively downloading in-toto
343- # metadata for in-toto metadata themselves, and so on ad infinitum.
344- # NOTE: We use a global flag (self.__DOWNLOAD_IN_TOTO_METADATA) for
345- # coarse-grained control, and a local flag
346- # (download_in_toto_metadata) for fine-grained control (e.g.,
347- # override global flag, even when switched on, for HTML files).
348- # TODO: When it comes to HTML files, we should just verify.
349- # All other files, presumably packages, should also be
350- # inspected.
351- # TODO: Ideally, shouldn't we check that the simple index and
352- # any corresponding wheel were actually built in the same
353- # pipeline run?
354- if self .__DOWNLOAD_IN_TOTO_METADATA and \
355- download_in_toto_metadata and \
356- not target_relpath .endswith ('.html' ):
357- self .__download_and_verify_in_toto_metadata (updated_target ,
358- target_relpath )
359- else :
360- logging .warning ('Switched off in-toto verification for {}' \
361- .format (target_relpath ))
340+ # Next, we use in-toto to verify the supply chain of the target.
341+ # NOTE: We use a flag to avoid recursively downloading in-toto
342+ # metadata for in-toto metadata themselves, and so on ad infinitum.
343+ # NOTE: We use a global flag (self.__DOWNLOAD_IN_TOTO_METADATA) for
344+ # coarse-grained control, and a local flag
345+ # (download_in_toto_metadata) for fine-grained control (e.g.,
346+ # override global flag, even when switched on, for HTML files).
347+ # TODO: When it comes to HTML files, we should just verify.
348+ # All other files, presumably packages, should also be
349+ # inspected.
350+ # TODO: Ideally, shouldn't we check that the simple index and
351+ # any corresponding wheel were actually built in the same
352+ # pipeline run?
353+ if self .__DOWNLOAD_IN_TOTO_METADATA and \
354+ download_in_toto_metadata and \
355+ not target_relpath .endswith ('.html' ):
356+ self .__download_and_verify_in_toto_metadata (target , target_relpath )
357+ else :
358+ logging .warning ('Switched off in-toto verification for {}' \
359+ .format (target_relpath ))
362360
363361 target_path = os .path .join (self .__targets_dir , target_relpath )
364362 return target_path
0 commit comments