Ensure there's no sigstore cache clashing

Signed-off-by: Radoslav Dimitrov <[email protected]>

deployment/helm/templates/deployment.yaml

@@ -101,7 +101,7 @@ spec:
           - name: identity-secrets
             mountPath: /secrets/identity
           - name: sigstore-tuf-cache
-            mountPath: /tmp/tufcache
+            mountPath: /tmp/minder-cache
           {{- if .Values.deploymentSettings.extraVolumeMounts }}
           {{- toYaml .Values.deploymentSettings.extraVolumeMounts | nindent 10 }}
           {{- end }}

deployment/helm_tests/basic.yaml-out

@@ -360,7 +360,7 @@ spec:
           - name: identity-secrets
             mountPath: /secrets/identity
           - name: sigstore-tuf-cache
-            mountPath: /tmp/tufcache
+            mountPath: /tmp/minder-cache
       volumes:
       - name: config
         configMap:

deployment/helm_tests/sidecar.yaml-out

@@ -362,7 +362,7 @@ spec:
           - name: identity-secrets
             mountPath: /secrets/identity
           - name: sigstore-tuf-cache
-            mountPath: /tmp/tufcache
+            mountPath: /tmp/minder-cache
           - mountPath: /secrets/db
             name: db-password
         - args:

docker-compose.yaml

@@ -33,7 +33,7 @@ services:
       ]
     restart: always # keep the server running
     tmpfs:
-      - /tmp/tufcache
+      - /tmp/minder-cache
     # read_only: true
     ports:
       - "8080:8080"

internal/controlplane/handlers_githubwebhooks.go

@@ -728,6 +728,7 @@ func storeSignatureAndWorkflowInVersion(
 	if err != nil {
 		return fmt.Errorf("error getting sigstore verifier: %w", err)
 	}
+	defer artifactVerifier.ClearCache()
 
 	// now get information for signature and workflow
 	res, err := artifactVerifier.Verify(ctx, verifier.ArtifactTypeContainer, "",

internal/reconcilers/artifacts.go

@@ -159,6 +159,14 @@ func (e *Reconciler) handleArtifactsReconcilerEvent(ctx context.Context, evt *Re
 		}
 		return err
 	}
+
+	// create artifact verifier
+	artifactVerifier, err := verifier.NewVerifier(verifier.VerifierSigstore, cli.GetToken())
+	if err != nil {
+		return fmt.Errorf("error getting sigstore verifier: %w", err)
+	}
+	defer artifactVerifier.ClearCache()
+
 	for _, artifact := range artifacts {
 		// store information if we do not have it
 		newArtifact, err := e.store.UpsertArtifact(ctx,
@@ -187,12 +195,6 @@ func (e *Reconciler) handleArtifactsReconcilerEvent(ctx context.Context, evt *Re
 			continue
 		}
 
-		// create artifact verifier
-		artifactVerifier, err := verifier.NewVerifier(verifier.VerifierSigstore, cli.GetToken())
-		if err != nil {
-			return fmt.Errorf("error getting sigstore verifier: %w", err)
-		}
-
 		// iterate over versions and store them
 		var listVersionedArtifacts []*pb.ArtifactVersion
 		for _, version := range versions {

internal/verifier/sigstore/sigstore.go

@@ -29,8 +29,6 @@ import (
 const (
 	// SigstorePublicTrustedRootRepo is the public trusted root repository for sigstore
 	SigstorePublicTrustedRootRepo = "tuf-repo-cdn.sigstore.dev"
-	// SigstoreCacheDir is the directory where sigstore's trusted root is cached
-	SigstoreCacheDir = "/tmp/tufcache"
 )
 
 // Sigstore is the sigstore verifier
@@ -40,9 +38,9 @@ type Sigstore struct {
 }
 
 // New creates a new Sigstore verifier
-func New(trustedRoot, accessToken string) (*Sigstore, error) {
+func New(trustedRoot, accessToken, cacheDir string) (*Sigstore, error) {
 	// init sigstore's verifier
-	trustedrootJSON, err := tuf.GetTrustedrootJSON(trustedRoot, SigstoreCacheDir)
+	trustedrootJSON, err := tuf.GetTrustedrootJSON(trustedRoot, cacheDir)
 	if err != nil {
 		return nil, err
 	}

internal/verifier/verifier.go

@@ -20,6 +20,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"log"
+	"os"
 	"strings"
 
 	"google.golang.org/protobuf/encoding/protojson"
@@ -32,6 +33,8 @@ import (
 const (
 	// ArtifactSignatureSuffix is the suffix for the signature tag
 	ArtifactSignatureSuffix = ".sig"
+	// LocalCacheDir is the local cache directory for the verifier
+	LocalCacheDir = "/tmp/minder-cache"
 )
 
 // ArtifactVerifier is the interface for artifact verifiers
@@ -68,25 +71,33 @@ const (
 // Verifier is the object that verifies artifacts
 type Verifier struct {
 	verifier ArtifactVerifier
+	cacheDir string
 }
 
 // NewVerifier creates a new Verifier object
 func NewVerifier(verifier Type, accessToken string) (*Verifier, error) {
 	var err error
 	var v ArtifactVerifier
+	// create a temporary directory for storing the sigstore cache
+	tmpDir, err := os.MkdirTemp(LocalCacheDir, "sigstore")
+	if err != nil {
+		return nil, fmt.Errorf("failed to create temporary sigstore cache directory: %w", err)
+	}
 
-	// Create the verifier
+	// create the verifier
 	switch verifier {
 	case VerifierSigstore:
-		v, err = sigstore.New(sigstore.SigstorePublicTrustedRootRepo, accessToken)
+		v, err = sigstore.New(sigstore.SigstorePublicTrustedRootRepo, accessToken, tmpDir)
 		if err != nil {
 			return nil, fmt.Errorf("error creating sigstore verifier: %w", err)
 		}
 	default:
 		return nil, fmt.Errorf("unknown verifier type: %s", verifier)
 	}
+	// return the verifier
 	return &Verifier{
 		verifier: v,
+		cacheDir: tmpDir,
 	}, nil
 }
 
@@ -117,6 +128,14 @@ func (v *Verifier) Verify(ctx context.Context, artifactType ArtifactType, regist
 	return &Result{SignatureInfo: sigInfo, WorkflowInfo: workInfo, URI: ref}, nil
 }
 
+// ClearCache cleans up the verifier cache directory and all its contents
+// This is temporary until sigstore-go supports in-memory verification
+func (v *Verifier) ClearCache() {
+	if err := os.RemoveAll(v.cacheDir); err != nil {
+		log.Println("error deleting temporary sigstore cache directory:", err)
+	}
+}
+
 // GetSignatureTag returns the signature tag for a given image, if exists, otherwise empty string
 func GetSignatureTag(tags []string) string {
 	// if the artifact has a .sig tag it's a signature, skip it