Merge pull request #1028 from sigstore/tuf-config

Require signing config from TUF and remove legacy fallback

Author: aaronlew02

sigstore-java/src/main/java/dev/sigstore/KeylessSigner.java

@@ -62,7 +62,6 @@
 import dev.sigstore.timestamp.client.TimestampResponse;
 import dev.sigstore.timestamp.client.TimestampVerificationException;
 import dev.sigstore.timestamp.client.TimestampVerifier;
-import dev.sigstore.trustroot.LegacySigningConfig;
 import dev.sigstore.trustroot.Service;
 import dev.sigstore.trustroot.SigstoreConfigurationException;
 import dev.sigstore.tuf.SigstoreTufClient;
@@ -359,10 +358,7 @@ public KeylessSigner build()
     public Builder sigstorePublicDefaults() {
       var sigstoreTufClientBuilder = SigstoreTufClient.builder().usePublicGoodInstance();
       trustedRootProvider = TrustedRootProvider.from(sigstoreTufClientBuilder);
-      // TODO: signing config is not pushed to prod yet
-      signingConfigProvider =
-          SigningConfigProvider.fromOrDefault(
-              sigstoreTufClientBuilder, LegacySigningConfig.PUBLIC_GOOD);
+      signingConfigProvider = SigningConfigProvider.from(sigstoreTufClientBuilder);
       signingAlgorithm = AlgorithmRegistry.SigningAlgorithm.PKIX_ECDSA_P256_SHA_256;
       minSigningCertificateLifetime(DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME);
       return this;

sigstore-java/src/main/java/dev/sigstore/SigningConfigProvider.java

@@ -42,29 +42,11 @@ static SigningConfigProvider from(SigstoreTufClient.Builder tufClientBuilder) {
     };
   }
 
-  // Temporary while the tuf repos catches up, this will still fail if the remove TUF isn't
-  // available to check for signing config
-  static SigningConfigProvider fromOrDefault(
-      SigstoreTufClient.Builder tufClientBuilder, SigstoreSigningConfig defaultConfig) {
-    Preconditions.checkNotNull(tufClientBuilder);
-    return () -> {
-      try {
-        var tufClient = tufClientBuilder.build();
-        tufClient.update();
-        var fromTuf = tufClient.getSigstoreSigningConfig();
-        return fromTuf == null ? defaultConfig : fromTuf;
-      } catch (IOException ex) {
-        throw new SigstoreConfigurationException(
-            "Could not initialize signing config from provided tuf client", ex);
-      }
-    };
-  }
-
   static SigningConfigProvider from(Path signingConfig) {
     Preconditions.checkNotNull(signingConfig);
     return () -> {
-      try {
-        return SigstoreSigningConfig.from(Files.newInputStream(signingConfig));
+      try (var is = Files.newInputStream(signingConfig)) {
+        return SigstoreSigningConfig.from(is);
       } catch (IOException ex) {
         throw new SigstoreConfigurationException(
             "Could not initialize signing config from " + signingConfig, ex);

sigstore-java/src/main/java/dev/sigstore/tuf/SigstoreTufClient.java

@@ -30,7 +30,6 @@
 import java.security.spec.InvalidKeySpecException;
 import java.time.Duration;
 import java.time.Instant;
-import javax.annotation.Nullable;
 
 /**
  * Wrapper around {@link dev.sigstore.tuf.Updater} that provides access to sigstore specific
@@ -48,10 +47,7 @@ public class SigstoreTufClient {
   private final Updater updater;
   private Instant lastUpdate;
   private SigstoreTrustedRoot sigstoreTrustedRoot;
-  // TODO: this is nullable because we expect all future sigstore tuf repos to contain a signing
-  // config
-  // but while we transition, we need to handle the null case.
-  @Nullable private SigstoreSigningConfig sigstoreSigningConfig;
+  private SigstoreSigningConfig sigstoreSigningConfig;
   private final Duration cacheValidity;
 
   @VisibleForTesting
@@ -181,15 +177,9 @@ public void forceUpdate() throws SigstoreConfigurationException {
       throw new SigstoreConfigurationException("Failed to read trusted root from target store", ex);
     }
     try {
-      if (updater.getTargetStore().hasTarget(SIGNING_CONFIG_FILENAME)) {
-        sigstoreSigningConfig =
-            SigstoreSigningConfig.from(
-                updater.getTargetStore().getTargetInputSteam(SIGNING_CONFIG_FILENAME));
-      } else {
-        sigstoreSigningConfig = null;
-        // TODO: Remove when prod and staging TUF repos have fully configured signing configs, but
-        // right now sigstore tuf repos not having sigstoreSigningConfig is a valid state.
-      }
+      sigstoreSigningConfig =
+          SigstoreSigningConfig.from(
+              updater.getTargetStore().getTargetInputSteam(SIGNING_CONFIG_FILENAME));
     } catch (IOException ex) {
       throw new SigstoreConfigurationException(
           "Failed to read signing config from target store", ex);
@@ -200,7 +190,6 @@ public SigstoreTrustedRoot getSigstoreTrustedRoot() {
     return sigstoreTrustedRoot;
   }
 
-  @Nullable
   public SigstoreSigningConfig getSigstoreSigningConfig() {
     return sigstoreSigningConfig;
   }

sigstore-java/src/test/java/dev/sigstore/tuf/SigstoreTufClientTest.java

@@ -16,6 +16,9 @@
 package dev.sigstore.tuf;
 
 import com.google.protobuf.util.JsonFormat;
+import dev.sigstore.proto.trustroot.v1.ServiceConfiguration;
+import dev.sigstore.proto.trustroot.v1.ServiceSelector;
+import dev.sigstore.proto.trustroot.v1.SigningConfig;
 import dev.sigstore.proto.trustroot.v1.TrustedRoot;
 import dev.sigstore.trustroot.SigstoreSigningConfig;
 import dev.sigstore.trustroot.SigstoreTrustedRoot;
@@ -121,12 +124,24 @@ public void testUpdate_noUpdateWhenCacheValid() throws Exception {
   }
 
   private static Updater mockUpdater() throws IOException {
+    var serviceConfig = ServiceConfiguration.newBuilder().setSelector(ServiceSelector.ANY).build();
     var trustRootBytes =
         JsonFormat.printer().print(TrustedRoot.newBuilder()).getBytes(StandardCharsets.UTF_8);
+    var signingConfigBytes =
+        JsonFormat.printer()
+            .print(
+                SigningConfig.newBuilder()
+                    .setMediaType(SigstoreSigningConfig.MEDIA_TYPE)
+                    .setTsaConfig(serviceConfig)
+                    .setRekorTlogConfig(serviceConfig))
+            .getBytes(StandardCharsets.UTF_8);
     var mockUpdater = Mockito.mock(Updater.class);
     var mockTargetStore = Mockito.mock(TargetStore.class);
     Mockito.when(mockTargetStore.getTargetInputSteam(SigstoreTufClient.TRUST_ROOT_FILENAME))
         .thenAnswer((Answer<InputStream>) invocation -> new ByteArrayInputStream(trustRootBytes));
+    Mockito.when(mockTargetStore.getTargetInputSteam(SigstoreTufClient.SIGNING_CONFIG_FILENAME))
+        .thenAnswer(
+            (Answer<InputStream>) invocation -> new ByteArrayInputStream(signingConfigBytes));
     Mockito.when(mockUpdater.getTargetStore()).thenReturn(mockTargetStore);
 
     return mockUpdater;