From feb3d251a3714fb3dac5e80d2b7351f843b049a0 Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@github.com>
Date: Thu, 6 Jun 2024 13:06:56 -0600
Subject: [PATCH 1/5] sync tuf cache used for sigstore bundle verification

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 pkg/tuf/repo.go | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/pkg/tuf/repo.go b/pkg/tuf/repo.go
index 2e71b3ea..67ca2fe1 100644
--- a/pkg/tuf/repo.go
+++ b/pkg/tuf/repo.go
@@ -28,7 +28,6 @@ import (
 	"path/filepath"
 	"runtime"
 	"strings"
-	"sync"
 	"testing/fstest"
 	"time"
 
@@ -293,27 +292,28 @@ func ClientFromRemote(_ context.Context, mirror string, rootJSON []byte, targets
 }
 
 var (
-	once               sync.Once
-	trustedRoot        *root.TrustedRoot
 	singletonRootError error
+	timestamp          time.Time
+	trustedRoot        *root.TrustedRoot
 )
 
 // GetTrustedRoot returns the trusted root for the TUF repository.
 func GetTrustedRoot() (*root.TrustedRoot, error) {
-	once.Do(func() {
+	now := time.Now().UTC()
+	if timestamp.IsZero() || timestamp.Before(now.Add(-24*time.Hour)) {
 		tufClient, err := tuf.NewFromEnv(context.Background())
 		if err != nil {
 			singletonRootError = fmt.Errorf("initializing tuf: %w", err)
-			return
 		}
 		// TODO: add support for custom trusted root path
 		targetBytes, err := tufClient.GetTarget("trusted_root.json")
 		if err != nil {
 			singletonRootError = fmt.Errorf("error getting targets: %w", err)
-			return
 		}
 		trustedRoot, singletonRootError = root.NewTrustedRootFromJSON(targetBytes)
-	})
+
+		timestamp = now
+	}
 	if singletonRootError != nil {
 		return nil, singletonRootError
 	}

From 6c5b1800df8a2a401f87472ff5b924c82dfcd826 Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@github.com>
Date: Mon, 10 Jun 2024 23:19:56 -0600
Subject: [PATCH 2/5] remove singleton err

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 pkg/tuf/repo.go | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/pkg/tuf/repo.go b/pkg/tuf/repo.go
index 67ca2fe1..0dbd4a6e 100644
--- a/pkg/tuf/repo.go
+++ b/pkg/tuf/repo.go
@@ -292,9 +292,8 @@ func ClientFromRemote(_ context.Context, mirror string, rootJSON []byte, targets
 }
 
 var (
-	singletonRootError error
-	timestamp          time.Time
-	trustedRoot        *root.TrustedRoot
+	timestamp   time.Time
+	trustedRoot *root.TrustedRoot
 )
 
 // GetTrustedRoot returns the trusted root for the TUF repository.
@@ -303,19 +302,21 @@ func GetTrustedRoot() (*root.TrustedRoot, error) {
 	if timestamp.IsZero() || timestamp.Before(now.Add(-24*time.Hour)) {
 		tufClient, err := tuf.NewFromEnv(context.Background())
 		if err != nil {
-			singletonRootError = fmt.Errorf("initializing tuf: %w", err)
+			return nil, fmt.Errorf("initializing tuf: %w", err)
 		}
 		// TODO: add support for custom trusted root path
 		targetBytes, err := tufClient.GetTarget("trusted_root.json")
 		if err != nil {
-			singletonRootError = fmt.Errorf("error getting targets: %w", err)
+			return nil, fmt.Errorf("error getting targets: %w", err)
+		}
+		trustedRoot, err := root.NewTrustedRootFromJSON(targetBytes)
+		if err != nil {
+			return nil, fmt.Errorf("error creating trusted root: %w", err)
 		}
-		trustedRoot, singletonRootError = root.NewTrustedRootFromJSON(targetBytes)
 
 		timestamp = now
-	}
-	if singletonRootError != nil {
-		return nil, singletonRootError
+
+		return trustedRoot, nil
 	}
 	return trustedRoot, nil
 }

From 6b8ffcbe068a438a5b07bc0d3eab7a605026d3be Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@github.com>
Date: Thu, 13 Jun 2024 09:59:42 -0600
Subject: [PATCH 3/5] start adding lock

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 pkg/tuf/repo.go | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/pkg/tuf/repo.go b/pkg/tuf/repo.go
index 0dbd4a6e..6513676c 100644
--- a/pkg/tuf/repo.go
+++ b/pkg/tuf/repo.go
@@ -28,6 +28,7 @@ import (
 	"path/filepath"
 	"runtime"
 	"strings"
+	"sync"
 	"testing/fstest"
 	"time"
 
@@ -292,26 +293,35 @@ func ClientFromRemote(_ context.Context, mirror string, rootJSON []byte, targets
 }
 
 var (
-	timestamp   time.Time
-	trustedRoot *root.TrustedRoot
+	mu                 sync.Mutex
+	singletonRootError error
+	timestamp          time.Time
+	trustedRoot        *root.TrustedRoot
 )
 
 // GetTrustedRoot returns the trusted root for the TUF repository.
 func GetTrustedRoot() (*root.TrustedRoot, error) {
+	mu.Lock()
+	defer mu.Unlock()
+
 	now := time.Now().UTC()
 	if timestamp.IsZero() || timestamp.Before(now.Add(-24*time.Hour)) {
+
 		tufClient, err := tuf.NewFromEnv(context.Background())
 		if err != nil {
-			return nil, fmt.Errorf("initializing tuf: %w", err)
+			singletonRootError = fmt.Errorf("initializing tuf: %w", err)
+			return nil, singletonRootError
 		}
 		// TODO: add support for custom trusted root path
 		targetBytes, err := tufClient.GetTarget("trusted_root.json")
 		if err != nil {
-			return nil, fmt.Errorf("error getting targets: %w", err)
+			singletonRootError = fmt.Errorf("error getting targets: %w", err)
+			return nil, singletonRootError
 		}
 		trustedRoot, err := root.NewTrustedRootFromJSON(targetBytes)
 		if err != nil {
-			return nil, fmt.Errorf("error creating trusted root: %w", err)
+			singletonRootError = fmt.Errorf("error creating trusted root: %w", err)
+			return nil, singletonRootError
 		}
 
 		timestamp = now

From c57316319043d2f60fce563fe9c5f523c36722ca Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@github.com>
Date: Fri, 14 Jun 2024 07:09:17 -0600
Subject: [PATCH 4/5] Use RWMutex

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 pkg/tuf/repo.go | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/pkg/tuf/repo.go b/pkg/tuf/repo.go
index 6513676c..7b0c7bd2 100644
--- a/pkg/tuf/repo.go
+++ b/pkg/tuf/repo.go
@@ -293,7 +293,7 @@ func ClientFromRemote(_ context.Context, mirror string, rootJSON []byte, targets
 }
 
 var (
-	mu                 sync.Mutex
+	mu                 sync.RWMutex
 	singletonRootError error
 	timestamp          time.Time
 	trustedRoot        *root.TrustedRoot
@@ -301,11 +301,10 @@ var (
 
 // GetTrustedRoot returns the trusted root for the TUF repository.
 func GetTrustedRoot() (*root.TrustedRoot, error) {
-	mu.Lock()
-	defer mu.Unlock()
-
 	now := time.Now().UTC()
 	if timestamp.IsZero() || timestamp.Before(now.Add(-24*time.Hour)) {
+		mu.Lock()
+		defer mu.Unlock()
 
 		tufClient, err := tuf.NewFromEnv(context.Background())
 		if err != nil {
@@ -328,5 +327,9 @@ func GetTrustedRoot() (*root.TrustedRoot, error) {
 
 		return trustedRoot, nil
 	}
+
+	mu.RLock()
+	defer mu.RUnlock()
+
 	return trustedRoot, nil
 }

From 8db5b66c90f40a6c48e5c62ba295e6bec52875b9 Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@github.com>
Date: Fri, 14 Jun 2024 13:09:48 -0600
Subject: [PATCH 5/5] pr feedback

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 pkg/tuf/repo.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/tuf/repo.go b/pkg/tuf/repo.go
index 7b0c7bd2..46405348 100644
--- a/pkg/tuf/repo.go
+++ b/pkg/tuf/repo.go
@@ -302,7 +302,9 @@ var (
 // GetTrustedRoot returns the trusted root for the TUF repository.
 func GetTrustedRoot() (*root.TrustedRoot, error) {
 	now := time.Now().UTC()
-	if timestamp.IsZero() || timestamp.Before(now.Add(-24*time.Hour)) {
+	// check if timestamp has never been or if the current time is more
+	// than 24 hours after the current value of timestamp
+	if timestamp.IsZero() || now.After(timestamp.Add(24*time.Hour)) {
 		mu.Lock()
 		defer mu.Unlock()