Add basic TUF repo check after generation (#8722)

labbott · web-flow · commit 5b91b1d7c109 · 2025-07-30T08:58:07.000-04:00
There are an extended number of tests designed to catch issues with TUF
repos. Despite this, it is still possible (though unlikely) to generate
a TUF repo that fails one or more checks. Nobody likes broken builds so
add an extra last check to verify that we can do "something" with the
TUF repo.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/dev-tools/releng/Cargo.toml b/dev-tools/releng/Cargo.toml
@@ -31,6 +31,7 @@ tokio = { workspace = true, features = ["full"] }
 toml.workspace = true
 tufaceous-artifact.workspace = true
 tufaceous-lib.workspace = true
+update-common.workspace = true
 
 [lints]
 workspace = true
diff --git a/dev-tools/releng/src/tuf.rs b/dev-tools/releng/src/tuf.rs
@@ -18,6 +18,7 @@ use sha2::Digest;
 use sha2::Sha256;
 use slog::Logger;
 use tokio::io::AsyncReadExt;
+use tufaceous_artifact::ArtifactHash;
 use tufaceous_artifact::ArtifactVersion;
 use tufaceous_artifact::KnownArtifactKind;
 use tufaceous_lib::Key;
@@ -27,6 +28,9 @@ use tufaceous_lib::assemble::DeserializedArtifactSource;
 use tufaceous_lib::assemble::DeserializedControlPlaneZoneSource;
 use tufaceous_lib::assemble::DeserializedManifest;
 use tufaceous_lib::assemble::OmicronRepoAssembler;
+use update_common::artifacts::{
+    ArtifactsWithPlan, ControlPlaneZonesMode, VerificationMode,
+};
 
 pub(crate) async fn build_tuf_repo(
     logger: Logger,
@@ -160,5 +164,38 @@ pub(crate) async fn build_tuf_repo(
     )
     .await?;
 
+    // Check that we haven't stepped on any rakes by attempting to generate a
+    // plan from the zip
+    let zip_bytes = std::fs::File::open(&output_dir.join("repo.zip"))
+        .context("error opening archive.zip")?;
+    let repo_hash = ArtifactHash([0u8; 32]);
+    let _ = ArtifactsWithPlan::from_zip(
+        zip_bytes,
+        None,
+        repo_hash,
+        ControlPlaneZonesMode::Split,
+        VerificationMode::BlindlyTrustAnything,
+        &logger,
+    )
+    .await
+    .with_context(|| {
+        "error reading generated TUF repo (split control plane)".to_string()
+    })?;
+
+    let zip_bytes = std::fs::File::open(&output_dir.join("repo.zip"))
+        .context("error opening archive.zip")?;
+    let _ = ArtifactsWithPlan::from_zip(
+        zip_bytes,
+        None,
+        repo_hash,
+        ControlPlaneZonesMode::Composite,
+        VerificationMode::BlindlyTrustAnything,
+        &logger,
+    )
+    .await
+    .with_context(|| {
+        "error reading generated TUF repo (composite control plane)".to_string()
+    })?;
+
     Ok(())
 }
