Upgrade to tuf 6.0 (sigstore#1323)

The big changes in tuf internal:
* no longer uses request
* no longer uses certifi

The included code change in this PR is not strictly necessary but is
potentially a little more secure (client no longer trusts the metadata
cache but always initializes the Updater from the embedded root).

The test changes are related to
* assumptions we make on the tuf metadata cache content
* our tests mocking a feature that was changed in TUF
  (RequestsFetcher got changed to Urllib3Fetcher)

Signed-off-by: Jussi Kukkonen <[email protected]>

Author: jku

pyproject.toml

@@ -40,7 +40,7 @@ dependencies = [
   # NOTE(ww): Both under active development, so strictly pinned.
   "sigstore-protobuf-specs == 0.3.2",
   "sigstore-rekor-types == 0.0.18",
-  "tuf ~= 5.0",
+  "tuf ~= 6.0",
   "platformdirs ~= 4.2",
 ]
 requires-python = ">=3.9"

sigstore/_internal/tuf.py

@@ -87,18 +87,6 @@ def __init__(self, url: str, offline: bool = False) -> None:
         else:
             raise RootError
 
-        # Initialize metadata dir
-        self._metadata_dir.mkdir(parents=True, exist_ok=True)
-        tuf_root = self._metadata_dir / "root.json"
-
-        if not tuf_root.exists():
-            try:
-                root_json = read_embedded("root.json", rsrc_prefix)
-            except FileNotFoundError as e:
-                raise RootError from e
-
-            tuf_root.write_bytes(root_json)
-
         # Initialize targets cache dir
         self._targets_dir.mkdir(parents=True, exist_ok=True)
         trusted_root_target = self._targets_dir / "trusted_root.json"
@@ -121,12 +109,17 @@ def __init__(self, url: str, offline: bool = False) -> None:
             )
         else:
             # Initialize and update the toplevel TUF metadata
+            try:
+                root_json = read_embedded("root.json", rsrc_prefix)
+            except FileNotFoundError as e:
+                raise RootError from e
             self._updater = Updater(
                 metadata_dir=str(self._metadata_dir),
                 metadata_base_url=self._repo_url,
                 target_base_url=parse.urljoin(f"{self._repo_url}/", "targets/"),
                 target_dir=str(self._targets_dir),
                 config=UpdaterConfig(app_user_agent=f"sigstore-python/{__version__}"),
+                bootstrap=root_json,
             )
             try:
                 self._updater.refresh()

test/unit/conftest.py

@@ -31,8 +31,7 @@
     detect_credential,
 )
 from tuf.api.exceptions import DownloadHTTPError
-from tuf.ngclient import FetcherInterface
-from tuf.ngclient.updater import requests_fetcher
+from tuf.ngclient import FetcherInterface, updater
 
 from sigstore._internal import tuf
 from sigstore._internal.rekor import _hashedrekord_from_parts
@@ -157,9 +156,7 @@ def _fetch(self, url: str) -> Iterator[bytes]:
             failure[filename] += 1
             raise DownloadHTTPError("File not found", 404)
 
-    monkeypatch.setattr(
-        requests_fetcher, "RequestsFetcher", lambda app_user_agent: MockFetcher()
-    )
+    monkeypatch.setattr(updater, "Urllib3Fetcher", lambda app_user_agent: MockFetcher())
 
     return success, failure
 

test/unit/internal/test_trust.py

@@ -80,7 +80,13 @@ def test_trust_root_tuf_caches_and_requests(mock_staging_tuf, tuf_dirs):
 
     trust_root = TrustedRoot.staging()
     # metadata was "downloaded" from staging
-    expected = ["root.json", "snapshot.json", "targets.json", "timestamp.json"]
+    expected = [
+        "root.json",
+        "root_history",
+        "snapshot.json",
+        "targets.json",
+        "timestamp.json",
+    ]
     assert sorted(os.listdir(data_dir)) == expected
 
     # Expect requests of top-level metadata (and 404 for the next root version)
@@ -126,9 +132,8 @@ def test_trust_root_tuf_offline(mock_staging_tuf, tuf_dirs):
 
     trust_root = TrustedRoot.staging(offline=True)
 
-    # Only the embedded root is in local TUF metadata, nothing is downloaded
-    expected = ["root.json"]
-    assert sorted(os.listdir(data_dir)) == expected
+    # local TUF metadata is not initialized, nothing is downloaded
+    assert not os.path.exists(data_dir)
     assert reqs == {}
     assert fail_reqs == {}