Merge pull request #340 from astoycos/bump-tough

update tough dep

Author: flavio

Cargo.toml

@@ -40,7 +40,7 @@ rekor-native-tls = ["reqwest/native-tls", "rekor"]
 rekor-rustls-tls = ["reqwest/rustls-tls", "rekor"]
 rekor = ["reqwest"]
 
-sigstore-trust-root = ["tough", "regex"]
+sigstore-trust-root = ["futures-util", "tough", "regex", "tokio/sync"]
 
 sign = []
 
@@ -81,6 +81,8 @@ ecdsa = { version = "0.16.7", features = ["pkcs8", "digest", "der", "signing"] }
 ed25519 = { version = "2.2.1", features = ["alloc"] }
 ed25519-dalek = { version = "2.0.0-rc.2", features = ["pkcs8", "rand_core"] }
 elliptic-curve = { version = "0.13.5", features = ["arithmetic", "pem"] }
+futures = "0.3"
+futures-util = { version = "0.3.30", optional = true }
 lazy_static = "1.4.0"
 oci-distribution = { version = "0.10", default-features = false, optional = true }
 olpc-cjson = "0.1"
@@ -116,7 +118,7 @@ sigstore_protobuf_specs = "0.1.0-rc.2"
 thiserror = "1.0.30"
 tokio = { version = "1.17.0", features = ["rt"] }
 tokio-util = { version = "0.7.10", features = ["io-util"] }
-tough = { version = "0.14", features = ["http"], optional = true }
+tough = { version = "0.17.1", features = ["http"], optional = true }
 tracing = "0.1.31"
 url = "2.2.2"
 x509-cert = { version = "0.2.2", features = ["builder", "pem", "std"] }

examples/cosign/sign/main.rs

@@ -18,7 +18,6 @@ use sigstore::cosign::constraint::{AnnotationMarker, PrivateKeySigner};
 use sigstore::cosign::{Constraint, CosignCapabilities, SignatureLayer};
 use sigstore::crypto::SigningScheme;
 use sigstore::registry::{Auth, ClientConfig, ClientProtocol, OciReference};
-use std::convert::TryFrom;
 use tracing::{debug, warn};
 use zeroize::Zeroizing;
 

examples/cosign/verify/main.rs

@@ -23,8 +23,6 @@ use sigstore::crypto::SigningScheme;
 use sigstore::errors::SigstoreVerifyConstraintsError;
 use sigstore::registry::{ClientConfig, ClientProtocol, OciReference};
 use sigstore::trust::sigstore::SigstoreTrustRoot;
-use std::boxed::Box;
-use std::convert::TryFrom;
 use std::time::Instant;
 
 extern crate anyhow;
@@ -34,7 +32,6 @@ extern crate clap;
 use clap::Parser;
 
 use std::{collections::HashMap, fs};
-use tokio::task::spawn_blocking;
 
 extern crate tracing_subscriber;
 use tracing::{info, warn};
@@ -133,7 +130,7 @@ async fn run_app(
 
     let mut client_builder =
         sigstore::cosign::ClientBuilder::default().with_oci_client_config(oci_client_config);
-    client_builder = client_builder.with_trust_repository(frd)?;
+    client_builder = client_builder.with_trust_repository(frd).await?;
 
     let cert_chain: Option<Vec<sigstore::registry::Certificate>> = match cli.cert_chain.as_ref() {
         None => None,
@@ -187,7 +184,7 @@ async fn run_app(
     }
     if let Some(path_to_cert) = cli.cert.as_ref() {
         let cert = fs::read(path_to_cert).map_err(|e| anyhow!("Cannot read cert: {:?}", e))?;
-        let require_rekor_bundle = if !frd.rekor_keys()?.is_empty() {
+        let require_rekor_bundle = if !frd.rekor_keys().await?.is_empty() {
             true
         } else {
             warn!("certificate based verification is weaker when Rekor integration is disabled");
@@ -230,12 +227,10 @@ async fn run_app(
 
 async fn fulcio_and_rekor_data(cli: &Cli) -> anyhow::Result<Box<dyn sigstore::trust::TrustRoot>> {
     if cli.use_sigstore_tuf_data {
-        let repo: sigstore::errors::Result<SigstoreTrustRoot> = spawn_blocking(|| {
-            info!("Downloading data from Sigstore TUF repository");
-            SigstoreTrustRoot::new(None)?.prefetch()
-        })
-        .await
-        .map_err(|e| anyhow!("Error spawning blocking task inside of tokio: {}", e))?;
+        info!("Downloading data from Sigstore TUF repository");
+
+        let repo: sigstore::errors::Result<SigstoreTrustRoot> =
+            SigstoreTrustRoot::new(None).await?.prefetch().await;
 
         return Ok(Box::new(repo?));
     };

src/cosign/client_builder.rs

@@ -72,12 +72,15 @@ impl<'a> ClientBuilder<'a> {
     ///
     /// Enables Fulcio and Rekor integration with the given trust repository.
     /// See [crate::sigstore::TrustRoot] for more details on trust repositories.
-    pub fn with_trust_repository<R: TrustRoot + ?Sized>(mut self, repo: &'a R) -> Result<Self> {
-        let rekor_keys = repo.rekor_keys()?;
+    pub async fn with_trust_repository<R: TrustRoot + ?Sized>(
+        mut self,
+        repo: &'a R,
+    ) -> Result<Self> {
+        let rekor_keys = repo.rekor_keys().await?;
         if !rekor_keys.is_empty() {
             self.rekor_pub_key = Some(rekor_keys[0]);
         }
-        self.fulcio_certs = repo.fulcio_certs()?;
+        self.fulcio_certs = repo.fulcio_certs().await?;
 
         Ok(self)
     }

src/cosign/mod.rs

@@ -48,7 +48,6 @@ use crate::crypto::{CosignVerificationKey, Signature};
 use crate::errors::SigstoreError;
 use base64::{engine::general_purpose::STANDARD as BASE64_STD_ENGINE, Engine as _};
 use pkcs8::der::Decode;
-use std::convert::TryFrom;
 use x509_cert::Certificate;
 
 pub mod bundle;
@@ -284,7 +283,6 @@ where
 #[cfg(test)]
 mod tests {
     use serde_json::json;
-    use std::collections::HashMap;
     use webpki::types::CertificateDer;
 
     use super::constraint::{AnnotationMarker, PrivateKeySigner};
@@ -296,7 +294,7 @@ mod tests {
         AnnotationVerifier, CertSubjectEmailVerifier, VerificationConstraintVec,
     };
     use crate::crypto::certificate_pool::CertificatePool;
-    use crate::crypto::{CosignVerificationKey, SigningScheme};
+    use crate::crypto::SigningScheme;
 
     #[cfg(feature = "test-registry")]
     use testcontainers::{clients, core::WaitFor};

src/cosign/signature_layers.rs

@@ -17,7 +17,6 @@ use const_oid::ObjectIdentifier;
 use digest::Digest;
 use oci_distribution::client::ImageLayer;
 use serde::Serialize;
-use std::convert::TryFrom;
 use std::{collections::HashMap, fmt};
 use tracing::{debug, info, warn};
 use x509_cert::der::DecodePem;
@@ -550,8 +549,6 @@ pub(crate) mod tests {
     use super::*;
     use openssl::x509::X509;
     use serde_json::json;
-    use std::collections::HashMap;
-    use std::convert::TryFrom;
 
     use crate::cosign::tests::{get_fulcio_cert_pool, get_rekor_public_key};
 

src/cosign/verification_constraint/cert_subject_email_verifier.rs

@@ -126,7 +126,6 @@ mod tests {
         build_correct_signature_layer_with_certificate,
         build_correct_signature_layer_without_bundle,
     };
-    use crate::cosign::signature_layers::CertificateSubject;
     use crate::cosign::verification_constraint::CertSubjectUrlVerifier;
 
     #[test]

src/cosign/verification_constraint/cert_subject_url_verifier.rs

@@ -74,7 +74,6 @@ mod tests {
         build_correct_signature_layer_with_certificate,
         build_correct_signature_layer_without_bundle,
     };
-    use crate::cosign::signature_layers::CertificateSubject;
     use crate::cosign::verification_constraint::CertSubjectEmailVerifier;
 
     #[test]

src/cosign/verification_constraint/certificate_verifier.rs

@@ -1,6 +1,5 @@
 use chrono::{DateTime, Utc};
 use pkcs8::der::Decode;
-use std::convert::TryFrom;
 use tracing::warn;
 use webpki::types::CertificateDer;
 use x509_cert::Certificate;

src/crypto/certificate.rs

@@ -126,7 +126,7 @@ mod tests {
     use super::*;
     use crate::crypto::tests::*;
 
-    use chrono::{TimeDelta, Utc};
+    use chrono::TimeDelta;
     use x509_cert::der::Decode;
 
     #[test]