cosign/tuf: PR feedback

jleightcap · jleightcap · commit 2f8150d0f7a1 · 2023-11-13T12:42:42.000-05:00
Signed-off-by: Jack Leightcap &lt;jack.leightcap@trailofbits.com&gt;
diff --git a/Cargo.toml b/Cargo.toml
@@ -118,7 +118,7 @@ tokio = { version = "1.17.0", features = ["rt"] }
 tough = { version = "0.14", features = ["http"], optional = true }
 tracing = "0.1.31"
 url = "2.2.2"
-x509-cert = { version = "0.2.2", features = ["builder", "pem", "std"] }
+x509-cert = { version = "0.2.2", features = ["pem", "std"] }
 crypto_secretbox = "0.1.1"
 zeroize = "1.5.7"
 rustls-webpki = { version = "0.102.0-alpha.4", features = ["alloc"] }
diff --git a/examples/cosign/verify/main.rs b/examples/cosign/verify/main.rs
@@ -240,7 +240,7 @@ async fn fulcio_and_rekor_data(cli: &Cli) -> anyhow::Result<Box<dyn sigstore::tu
         return Ok(Box::new(repo?));
     };
 
-    let mut data = sigstore::tuf::FakeRepository::default();
+    let mut data = sigstore::tuf::ManualRepository::default();
     if let Some(path) = cli.rekor_pub_key.as_ref() {
         data.rekor_key = Some(
             fs::read(path)
diff --git a/src/cosign/client_builder.rs b/src/cosign/client_builder.rs
@@ -28,15 +28,15 @@ use crate::tuf::Repository;
 /// ## Rekor integration
 ///
 /// Rekor integration can be enabled by specifying Rekor's public key.
-/// This can be provided via a [`crate::tuf::FakeRepository`].
+/// This can be provided via a [`crate::tuf::ManualRepository`].
 ///
 /// > Note well: the [`tuf`](crate::tuf) module provides helper structs and methods
 /// > to obtain this data from the official TUF repository of the Sigstore project.
 ///
 /// ## Fulcio integration
 ///
 /// Fulcio integration can be enabled by specifying Fulcio's certificate.
-/// This can be provided via a [`crate::tuf::FakeRepository`].
+/// This can be provided via a [`crate::tuf::ManualRepository`].
 ///
 /// > Note well: the [`tuf`](crate::tuf) module provides helper structs and methods
 /// > to obtain this data from the official TUF repository of the Sigstore project.
@@ -56,7 +56,6 @@ pub struct ClientBuilder<'a> {
     oci_client_config: ClientConfig,
     rekor_pub_key: Option<&'a [u8]>,
     fulcio_certs: Vec<CertificateDer<'a>>,
-    // repo: Repository
     #[cfg(feature = "cached-client")]
     enable_registry_caching: bool,
 }
diff --git a/src/cosign/mod.rs b/src/cosign/mod.rs
@@ -102,9 +102,9 @@ pub trait CosignCapabilities {
     /// must be satisfied:
     ///
     /// * The [`sigstore::cosign::Client`](crate::cosign::client::Client) must
-    ///   have been created with Rekor integration enabled (see [`crate::tuf::FakeRepository`])
+    ///   have been created with Rekor integration enabled (see [`crate::tuf::ManualRepository`])
     /// * The [`sigstore::cosign::Client`](crate::cosign::client::Client) must
-    ///   have been created with Fulcio integration enabled (see [`crate::tuf::FakeRepository])
+    ///   have been created with Fulcio integration enabled (see [`crate::tuf::ManualRepository])
     /// * The layer must include a bundle produced by Rekor
     ///
     /// > Note well: the [`tuf`](crate::tuf) module provides helper structs and methods
diff --git a/src/lib.rs b/src/lib.rs
@@ -92,7 +92,7 @@
 //!     data: fulcio_cert_data
 //!   };
 //!
-//!   let mut repo = sigstore::tuf::FakeRepository {
+//!   let mut repo = sigstore::tuf::ManualRepository {
 //!     fulcio_certs: Some(vec![fulcio_cert.try_into().unwrap()]),
 //!     rekor_key: Some(rekor_pub_key),
 //!     ..Default::default()
diff --git a/src/tuf/mod.rs b/src/tuf/mod.rs
@@ -43,6 +43,7 @@ mod trustroot;
 use rustls_pki_types::CertificateDer;
 use sha2::{Digest, Sha256};
 use tough::TargetName;
+use tracing::debug;
 
 use self::trustroot::{CertificateAuthority, TimeRange, TransparencyLogInstance, TrustedRoot};
 
@@ -54,15 +55,15 @@ pub trait Repository {
     fn rekor_keys(&self) -> Result<Vec<&[u8]>>;
 }
 
-/// A `FakeRepository` is a [Repository] with out-of-band trust materials.
+/// A `ManualRepository` is a [Repository] with out-of-band trust materials.
 /// As it does not establish a trust root with TUF, users must initialize its materials themselves.
 #[derive(Debug, Default)]
-pub struct FakeRepository<'a> {
+pub struct ManualRepository<'a> {
     pub fulcio_certs: Option<Vec<CertificateDer<'a>>>,
     pub rekor_key: Option<Vec<u8>>,
 }
 
-impl Repository for FakeRepository<'_> {
+impl Repository for ManualRepository<'_> {
     fn fulcio_certs(&self) -> Result<Vec<CertificateDer>> {
         Ok(match &self.fulcio_certs {
             Some(certs) => certs.clone(),
@@ -120,7 +121,7 @@ impl SigstoreRepository {
                 local_path.as_ref(),
             )?;
 
-            println!("data:\n{}", String::from_utf8_lossy(&data));
+            debug!("data:\n{}", String::from_utf8_lossy(&data));
 
             Ok(serde_json::from_slice(&data[..])?)
         }
