Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use TUF metadata to determine version to download when packaging #1573

Merged
merged 4 commits into from
Feb 2, 2024
Merged

Use TUF metadata to determine version to download when packaging #1573

merged 4 commits into from
Feb 2, 2024

Conversation

RebeccaMahany
Copy link
Contributor

@RebeccaMahany RebeccaMahany commented Feb 1, 2024
edited
Loading

Eventually, we will stop using the legacy Notary system, which means we will stop duplicating releases at <binary>-<channel>.tar.gz and expect clients to find the releases using the TUF metadata for that binary instead. This PR prepares for that by performing those steps when packaging.

This duplicates root.json (also located at ee/tuf/assets...) to avoid an import cycle. I didn't think this was a big enough deal to warrant pulling it out and moving it to a new shared location, but if others feel differently I'm happy to update.

Relates to #954, #1149

directionless
directionless reviewed Feb 1, 2024
View reviewed changes
pkg/packaging/fetch.go Show resolved Hide resolved
pkg/packaging/fetch.go Outdated Show resolved Hide resolved
pkg/packaging/fetch.go
Comment on lines +138 to +139
//go:embed assets/tuf/root.json
var rootJson []byte
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is okay. Though we may want some kind of two step, so that we can maintain a newer TUF repo, and not have to fetch/validate everything.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That'd be nice to have for the ee/tuf code too -- it's on my list (eventually)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#1577

@directionless
Copy link
Contributor

Looks good. tiny nits

@RebeccaMahany RebeccaMahany added this pull request to the merge queue Feb 2, 2024
Merged via the queue into kolide:main with commit 8f26d23 Feb 2, 2024
26 checks passed
@RebeccaMahany RebeccaMahany deleted the becca/package-channel branch February 2, 2024 14:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@directionless directionless directionless approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@RebeccaMahany @directionless