Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Embed the most recent version of root.json in our launcher binary #1705

Open
Tracked by #1577
RebeccaMahany opened this issue May 2, 2024 · 2 comments
Open
Tracked by #1577

Embed the most recent version of root.json in our launcher binary #1705

RebeccaMahany opened this issue May 2, 2024 · 2 comments
Labels
good-first-issue

Comments

@RebeccaMahany
Copy link
Contributor

RebeccaMahany commented May 2, 2024
edited

Currently, we embed the root.json file inside our launcher binary: https://github.com/kolide/launcher/blob/main/ee/tuf/assets/tuf/root.json

We want to change how we embed this file for a couple reasons:

  1. The root.json metadata file has a one-year expiration. If the version we are shipping is expired, this can prevent launcher from being able to select the correct version of a binary until the TUF autoupdater exits its initial delay and performs an update.
  2. We don't want to have to remember to update the root.json file every time we create a new version.
  3. Shipping an outdated version of root.json means that the TUF autoupdater has to perform a couple extra HTTP calls to get the most recent version of root.json.
  4. While we could ship an outdated version of root.json and force the TUF autoupdater to immediately fetch the latest version based on that -- via a call to metadataClient.UpdateRoots() -- this would slow down launcher startup due to the extra HTTP calls, which we odn't want.

Our build process should be updated to embed the most recent version of root.json in the launcher binary.

Notes for implementation:

  • We build launcher using our make command, which lives here. github-build is a good place to start looking in the Makefile to understand the build process.
  • We should hardcode the contents of the first version of the root JSON, which is located at https://tuf.kolide.com/repository/1.root.json -- we want to ensure that we are definitely starting with valid, untampered metadata
  • The build process should use the go-tuf library's UpdateRoots() to update from the first version to the most recent version -- the go-tuf library provides UpdateRoots() as a safe way to update and validate root metadata
  • autoupdate.go's initMetadataClient may be a good starting point for getting set up to call UpdateRoots()
  • pkg/packaging/fetch.go also relies on a separately-hardcoded root.json. Since this code is for packaging launcher into installers (so we don't care as much about performance), and since it already calls Update() (which calls UpdateRoots()), you can just leave this as it is.
@RebeccaMahany RebeccaMahany mentioned this issue May 2, 2024
Open
6 tasks
@directionless
Copy link
Contributor

This shouldn't be a change in pkg/make it should be a go generate somewhere.

@RebeccaMahany
Copy link
Contributor Author

@directionless updated first bullet point accordingly

@RebeccaMahany RebeccaMahany mentioned this issue May 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good-first-issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@directionless @RebeccaMahany