Add func to retrieve TrustedRoot from TUF

Signed-off-by: Cody Soyland <[email protected]>

Sync TUF cache used for sigstore bundle verification (sigstore#166)

* sync tuf cache used for sigstore bundle verification

Signed-off-by: Meredith Lancaster <[email protected]>

* remove singleton err

Signed-off-by: Meredith Lancaster <[email protected]>

* start adding lock

Signed-off-by: Meredith Lancaster <[email protected]>

* Use RWMutex

Signed-off-by: Meredith Lancaster <[email protected]>

* pr feedback

Signed-off-by: Meredith Lancaster <[email protected]>

---------

Signed-off-by: Meredith Lancaster <[email protected]>

Fix shadowed trustedroot (sigstore#178)

* Fix shadowed variable bug

This code caused the singleton `trustedRoot` to be returned as nil on subsequent calls. The singleton was shadowed when the variable was redeclared in the `if` block.

Signed-off-by: Cody Soyland <[email protected]>

* Remove unused singleton

`singletonRootError` was never returned without being overwritten, so it was essentially unused. I think it's wise to always retry the TUF call on future invocations in case of network errors.

Signed-off-by: Cody Soyland <[email protected]>

---------

Signed-off-by: Cody Soyland <[email protected]>

Author: codysoyland

go.mod

@@ -64,6 +64,7 @@ require (
 	github.com/go-jose/go-jose/v4 v4.0.4
 	github.com/sigstore/protobuf-specs v0.3.2
 	github.com/sigstore/scaffolding v0.7.11
+	github.com/sigstore/sigstore-go v0.6.2
 	github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.10
 	github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.10
 	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.10
@@ -231,7 +232,6 @@ require (
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/sigstore/sigstore-go v0.6.2 // indirect
 	github.com/sigstore/timestamp-authority v1.2.2 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect

pkg/tuf/repo.go

@@ -28,9 +28,12 @@ import (
 	"path/filepath"
 	"runtime"
 	"strings"
+	"sync"
 	"testing/fstest"
 	"time"
 
+	"github.com/sigstore/sigstore-go/pkg/root"
+	"github.com/sigstore/sigstore/pkg/tuf"
 	"github.com/theupdateframework/go-tuf/client"
 	"sigs.k8s.io/release-utils/version"
 )
@@ -294,3 +297,43 @@ func ClientFromRemote(_ context.Context, mirror string, rootJSON []byte, targets
 	}
 	return tufClient, nil
 }
+
+var (
+	mu          sync.RWMutex
+	timestamp   time.Time
+	trustedRoot *root.TrustedRoot
+)
+
+// GetTrustedRoot returns the trusted root for the TUF repository.
+func GetTrustedRoot() (*root.TrustedRoot, error) {
+	now := time.Now().UTC()
+	// check if timestamp has never been or if the current time is more
+	// than 24 hours after the current value of timestamp
+	if timestamp.IsZero() || now.After(timestamp.Add(24*time.Hour)) {
+		mu.Lock()
+		defer mu.Unlock()
+
+		tufClient, err := tuf.NewFromEnv(context.Background())
+		if err != nil {
+			return nil, fmt.Errorf("initializing tuf: %w", err)
+		}
+		// TODO: add support for custom trusted root path
+		targetBytes, err := tufClient.GetTarget("trusted_root.json")
+		if err != nil {
+			return nil, fmt.Errorf("error getting targets: %w", err)
+		}
+		trustedRoot, err = root.NewTrustedRootFromJSON(targetBytes)
+		if err != nil {
+			return nil, fmt.Errorf("error creating trusted root: %w", err)
+		}
+
+		timestamp = now
+
+		return trustedRoot, nil
+	}
+
+	mu.RLock()
+	defer mu.RUnlock()
+
+	return trustedRoot, nil
+}