| 123 | } |
| 124 | |
| 125 | func getTrustedRoot(makeTUF tufClientInstantiator, opts *Options, hc *http.Client) error { |
| 126 | var tufOptions []tufConfig |
| 127 | var defaultTR = "trusted_root.json" |
| 128 | |
| 129 | tufOpt := verification.DefaultOptionsWithCacheSetting(o.None[string](), hc) |
| 130 | // Disable local caching, so we get up-to-date response from TUF repository |
| 131 | tufOpt.CacheValidity = 0 |
| 132 | |
| 133 | // Target will be either the default trusted root, or the trust domain-qualified one |
| 134 | ghTR := defaultTR |
| 135 | if opts.TrustDomain != "" { |
| 136 | ghTR = fmt.Sprintf("%s.%s", opts.TrustDomain, defaultTR) |
| 137 | } |
| 138 | |
| 139 | if opts.TufUrl != "" && opts.TufRootPath != "" { |
| 140 | tufRoot, err := os.ReadFile(opts.TufRootPath) |
| 141 | if err != nil { |
| 142 | return fmt.Errorf("failed to read root file %s: %v", opts.TufRootPath, err) |
| 143 | } |
| 144 | |
| 145 | tufOpt.Root = tufRoot |
| 146 | tufOpt.RepositoryBaseURL = opts.TufUrl |
| 147 | tufOptions = append(tufOptions, tufConfig{ |
| 148 | tufOptions: tufOpt, |
| 149 | targets: []string{ghTR}, |
| 150 | }) |
| 151 | } else { |
| 152 | // Get from both Sigstore public good and GitHub private instance |
| 153 | tufOptions = append(tufOptions, tufConfig{ |
| 154 | tufOptions: tufOpt, |
| 155 | targets: []string{defaultTR}, |
| 156 | }) |
| 157 | |
| 158 | tufOpt = verification.GitHubTUFOptions(o.None[string](), hc) |
| 159 | tufOpt.CacheValidity = 0 |
| 160 | tufOptions = append(tufOptions, tufConfig{ |
| 161 | tufOptions: tufOpt, |
| 162 | targets: []string{ghTR}, |
| 163 | }) |
| 164 | } |
| 165 | |
| 166 | for _, tufOpt := range tufOptions { |
| 167 | tufClient, err := makeTUF(tufOpt.tufOptions) |
| 168 | if err != nil { |
| 169 | return fmt.Errorf("failed to create TUF client: %v", err) |
| 170 | } |
| 171 | |
| 172 | for _, target := range tufOpt.targets { |
| 173 | t, err := tufClient.GetTarget(target) |
| 174 | if err != nil { |
| 175 | return fmt.Errorf("failed to retrieve trusted root %s via TUF: %w", |
| 176 | target, err) |
| 177 | } |
| 178 | |
| 179 | output := new(bytes.Buffer) |
| 180 | err = json.Compact(output, t) |
| 181 | if err != nil { |
| 182 | return err |