Class: Sigstore::TrustedRoot

Inherits:

Sigstore::TrustRoot::V1::TrustedRoot

• Object
• Sigstore::TrustRoot::V1::TrustedRoot
• Sigstore::TrustedRoot

Defined in:

lib/sigstore/trusted_root.rb

Class Method Summary

• .from_file(path) ⇒ Object
• .from_tuf(url, offline) ⇒ Object
• .production(offline: false) ⇒ Object
• .staging(offline: false) ⇒ Object

Instance Method Summary

• #certificate_authority_for_signing ⇒ Object
• #ctfe_keys ⇒ Object
• #fulcio_cert_chain ⇒ Object
• #rekor_keys ⇒ Object
• #tlog_for_signing ⇒ Object

Class Method Details

.from_file(path) ⇒ Object

# File 'lib/sigstore/trusted_root.rb', line 43

def self.from_file(path)
  contents = Gem.read_binary(path)
  new Sigstore::TrustRoot::V1::TrustedRoot.decode_json(contents, registry: REGISTRY)
end

.from_tuf(url, offline) ⇒ Object

# File 'lib/sigstore/trusted_root.rb', line 38

def self.from_tuf(url, offline)
  path = TUF::TrustUpdater.new(url, offline).tap { _1.refresh unless offline }.trusted_root_path
  from_file(path)
end

.production(offline: false) ⇒ Object

# File 'lib/sigstore/trusted_root.rb', line 30

def self.production(offline: false)
  from_tuf(TUF::DEFAULT_TUF_URL, offline)
end

.staging(offline: false) ⇒ Object

# File 'lib/sigstore/trusted_root.rb', line 34

def self.staging(offline: false)
  from_tuf(TUF::STAGING_TUF_URL, offline)
end

Instance Method Details

#certificate_authority_for_signing ⇒ Object

# File 'lib/sigstore/trusted_root.rb', line 77

def certificate_authority_for_signing
  certificate_authorities.find do |ca|
    timerange_valid?(ca.valid_for, allow_expired: false)
  end
end

#ctfe_keys ⇒ Object

Raises:

• (Error::InvalidBundle)

# File 'lib/sigstore/trusted_root.rb', line 55

def ctfe_keys
  keys = tlog_keys(ctlogs).to_a
  raise Error::InvalidBundle, "Did not find any CTFE keys" if keys.empty?

  keys
end

#fulcio_cert_chain ⇒ Object

Raises:

• (Error::InvalidBundle)

# File 'lib/sigstore/trusted_root.rb', line 62

def fulcio_cert_chain
  certs = ca_keys(certificate_authorities, allow_expired: true).flat_map do |raw_bytes|
    Internal::X509::Certificate.read(raw_bytes)
  end
  raise Error::InvalidBundle, "Fulcio certificates not found in trusted root" if certs.empty?

  certs
end

#rekor_keys ⇒ Object

Raises:

• (Error::InvalidBundle)

# File 'lib/sigstore/trusted_root.rb', line 48

def rekor_keys
  keys = tlog_keys(tlogs).to_a
  raise Error::InvalidBundle, "Did not find one Rekor key" if keys.size != 1

  keys
end

#tlog_for_signing ⇒ Object

# File 'lib/sigstore/trusted_root.rb', line 71

def tlog_for_signing
  tlogs.find do |ctlog|
    timerange_valid?(ctlog.public_key.valid_for, allow_expired: false)
  end
end