You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We want to change how we embed this file for a couple reasons:
The root.json metadata file has a one-year expiration. If the version we are shipping is expired, this can prevent launcher from being able to select the correct version of a binary until the TUF autoupdater exits its initial delay and performs an update.
We don't want to have to remember to update the root.json file every time we create a new version.
Shipping an outdated version of root.json means that the TUF autoupdater has to perform a couple extra HTTP calls to get the most recent version of root.json.
While we could ship an outdated version of root.json and force the TUF autoupdater to immediately fetch the latest version based on that -- via a call to metadataClient.UpdateRoots() -- this would slow down launcher startup due to the extra HTTP calls, which we odn't want.
Our build process should be updated to embed the most recent version of root.json in the launcher binary.
Notes for implementation:
We build launcher using our make command, which lives here. github-build is a good place to start looking in the Makefile to understand the build process.
We should hardcode the contents of the first version of the root JSON, which is located at https://tuf.kolide.com/repository/1.root.json -- we want to ensure that we are definitely starting with valid, untampered metadata
The build process should use the go-tuf library's UpdateRoots() to update from the first version to the most recent version -- the go-tuf library provides UpdateRoots() as a safe way to update and validate root metadata
pkg/packaging/fetch.go also relies on a separately-hardcoded root.json. Since this code is for packaging launcher into installers (so we don't care as much about performance), and since it already calls Update() (which calls UpdateRoots()), you can just leave this as it is.
The text was updated successfully, but these errors were encountered:
Currently, we embed the root.json file inside our launcher binary: https://github.com/kolide/launcher/blob/main/ee/tuf/assets/tuf/root.json
We want to change how we embed this file for a couple reasons:
metadataClient.UpdateRoots()
-- this would slow down launcher startup due to the extra HTTP calls, which we odn't want.Our build process should be updated to embed the most recent version of root.json in the launcher binary.
Notes for implementation:
launcher
using ourmake
command, which lives here.github-build
is a good place to start looking in theMakefile
to understand the build process.UpdateRoots()
as a safe way to update and validate root metadataUpdateRoots()
pkg/packaging/fetch.go
also relies on a separately-hardcodedroot.json
. Since this code is for packaging launcher into installers (so we don't care as much about performance), and since it already callsUpdate()
(which callsUpdateRoots()
), you can just leave this as it is.The text was updated successfully, but these errors were encountered: