diff --git a/deployment/helm/templates/deployment.yaml b/deployment/helm/templates/deployment.yaml index 4415d87d7b..5cc3ad0908 100644 --- a/deployment/helm/templates/deployment.yaml +++ b/deployment/helm/templates/deployment.yaml @@ -101,7 +101,7 @@ spec: - name: identity-secrets mountPath: /secrets/identity - name: sigstore-tuf-cache - mountPath: /tmp/tufcache + mountPath: /tmp/minder-cache {{- if .Values.deploymentSettings.extraVolumeMounts }} {{- toYaml .Values.deploymentSettings.extraVolumeMounts | nindent 10 }} {{- end }} diff --git a/deployment/helm_tests/basic.yaml-out b/deployment/helm_tests/basic.yaml-out index 4cbc2be45a..23f158aa82 100644 --- a/deployment/helm_tests/basic.yaml-out +++ b/deployment/helm_tests/basic.yaml-out @@ -360,7 +360,7 @@ spec: - name: identity-secrets mountPath: /secrets/identity - name: sigstore-tuf-cache - mountPath: /tmp/tufcache + mountPath: /tmp/minder-cache volumes: - name: config configMap: diff --git a/deployment/helm_tests/sidecar.yaml-out b/deployment/helm_tests/sidecar.yaml-out index ee342af5b2..2ac9287817 100644 --- a/deployment/helm_tests/sidecar.yaml-out +++ b/deployment/helm_tests/sidecar.yaml-out @@ -362,7 +362,7 @@ spec: - name: identity-secrets mountPath: /secrets/identity - name: sigstore-tuf-cache - mountPath: /tmp/tufcache + mountPath: /tmp/minder-cache - mountPath: /secrets/db name: db-password - args: diff --git a/docker-compose.yaml b/docker-compose.yaml index 5faabc4204..fcd16c2bf5 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -33,7 +33,7 @@ services: ] restart: always # keep the server running tmpfs: - - /tmp/tufcache + - /tmp/minder-cache # read_only: true ports: - "8080:8080" diff --git a/internal/controlplane/handlers_githubwebhooks.go b/internal/controlplane/handlers_githubwebhooks.go index 7189626808..b9f30f5754 100644 --- a/internal/controlplane/handlers_githubwebhooks.go +++ b/internal/controlplane/handlers_githubwebhooks.go @@ -728,6 +728,7 @@ func storeSignatureAndWorkflowInVersion( if err != nil { return fmt.Errorf("error getting sigstore verifier: %w", err) } + defer artifactVerifier.ClearCache() // now get information for signature and workflow res, err := artifactVerifier.Verify(ctx, verifier.ArtifactTypeContainer, "", diff --git a/internal/reconcilers/artifacts.go b/internal/reconcilers/artifacts.go index c70d6f6d0f..e5e8786a9a 100644 --- a/internal/reconcilers/artifacts.go +++ b/internal/reconcilers/artifacts.go @@ -159,6 +159,14 @@ func (e *Reconciler) handleArtifactsReconcilerEvent(ctx context.Context, evt *Re } return err } + + // create artifact verifier + artifactVerifier, err := verifier.NewVerifier(verifier.VerifierSigstore, cli.GetToken()) + if err != nil { + return fmt.Errorf("error getting sigstore verifier: %w", err) + } + defer artifactVerifier.ClearCache() + for _, artifact := range artifacts { // store information if we do not have it newArtifact, err := e.store.UpsertArtifact(ctx, @@ -187,12 +195,6 @@ func (e *Reconciler) handleArtifactsReconcilerEvent(ctx context.Context, evt *Re continue } - // create artifact verifier - artifactVerifier, err := verifier.NewVerifier(verifier.VerifierSigstore, cli.GetToken()) - if err != nil { - return fmt.Errorf("error getting sigstore verifier: %w", err) - } - // iterate over versions and store them var listVersionedArtifacts []*pb.ArtifactVersion for _, version := range versions { diff --git a/internal/verifier/sigstore/sigstore.go b/internal/verifier/sigstore/sigstore.go index 2a955b67f8..569c81d4f9 100644 --- a/internal/verifier/sigstore/sigstore.go +++ b/internal/verifier/sigstore/sigstore.go @@ -29,8 +29,6 @@ import ( const ( // SigstorePublicTrustedRootRepo is the public trusted root repository for sigstore SigstorePublicTrustedRootRepo = "tuf-repo-cdn.sigstore.dev" - // SigstoreCacheDir is the directory where sigstore's trusted root is cached - SigstoreCacheDir = "/tmp/tufcache" ) // Sigstore is the sigstore verifier @@ -40,9 +38,9 @@ type Sigstore struct { } // New creates a new Sigstore verifier -func New(trustedRoot, accessToken string) (*Sigstore, error) { +func New(trustedRoot, accessToken, cacheDir string) (*Sigstore, error) { // init sigstore's verifier - trustedrootJSON, err := tuf.GetTrustedrootJSON(trustedRoot, SigstoreCacheDir) + trustedrootJSON, err := tuf.GetTrustedrootJSON(trustedRoot, cacheDir) if err != nil { return nil, err } diff --git a/internal/verifier/verifier.go b/internal/verifier/verifier.go index 76388fcee3..4c2be24fba 100644 --- a/internal/verifier/verifier.go +++ b/internal/verifier/verifier.go @@ -20,6 +20,7 @@ import ( "encoding/json" "fmt" "log" + "os" "strings" "google.golang.org/protobuf/encoding/protojson" @@ -32,6 +33,8 @@ import ( const ( // ArtifactSignatureSuffix is the suffix for the signature tag ArtifactSignatureSuffix = ".sig" + // LocalCacheDir is the local cache directory for the verifier + LocalCacheDir = "/tmp/minder-cache" ) // ArtifactVerifier is the interface for artifact verifiers @@ -68,25 +71,33 @@ const ( // Verifier is the object that verifies artifacts type Verifier struct { verifier ArtifactVerifier + cacheDir string } // NewVerifier creates a new Verifier object func NewVerifier(verifier Type, accessToken string) (*Verifier, error) { var err error var v ArtifactVerifier + // create a temporary directory for storing the sigstore cache + tmpDir, err := os.MkdirTemp(LocalCacheDir, "sigstore") + if err != nil { + return nil, fmt.Errorf("failed to create temporary sigstore cache directory: %w", err) + } - // Create the verifier + // create the verifier switch verifier { case VerifierSigstore: - v, err = sigstore.New(sigstore.SigstorePublicTrustedRootRepo, accessToken) + v, err = sigstore.New(sigstore.SigstorePublicTrustedRootRepo, accessToken, tmpDir) if err != nil { return nil, fmt.Errorf("error creating sigstore verifier: %w", err) } default: return nil, fmt.Errorf("unknown verifier type: %s", verifier) } + // return the verifier return &Verifier{ verifier: v, + cacheDir: tmpDir, }, nil } @@ -117,6 +128,14 @@ func (v *Verifier) Verify(ctx context.Context, artifactType ArtifactType, regist return &Result{SignatureInfo: sigInfo, WorkflowInfo: workInfo, URI: ref}, nil } +// ClearCache cleans up the verifier cache directory and all its contents +// This is temporary until sigstore-go supports in-memory verification +func (v *Verifier) ClearCache() { + if err := os.RemoveAll(v.cacheDir); err != nil { + log.Println("error deleting temporary sigstore cache directory:", err) + } +} + // GetSignatureTag returns the signature tag for a given image, if exists, otherwise empty string func GetSignatureTag(tags []string) string { // if the artifact has a .sig tag it's a signature, skip it