Add providers for signing config and legacy helper by loosebazooka · Pull Request #967 · sigstore/sigstore-java
And some other minor associated changes as part #954
| return () -> { | ||
| try { | ||
| SigstoreTufClient tufClient = tufClientBuilder.build(); | ||
| tufClient.update(); |
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just wondering, does this always have to be called after building a tuf client? Could it be automatic based on if the timestamp is expired?
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think its because your local cache can be erased in between runs, you can't guarantee that state. So you have to validate it.
|
|
||
| // Temporary while the tuf repos catches up, this will still fail if the remove TUF isn't | ||
| // available to check for signing config | ||
| static SigningConfigProvider fromOrDefault( |
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the advantage of this method over catching if from(tuf) fails and initializing a SigstoreSigningConfig?
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This more mirrors the final expected workflow, while still allowing us to be very explicit that this will be removed once the signing config is finalized.
| var fromTuf = tufClient.getSigstoreSigningConfig(); | ||
| return fromTuf == null ? defaultConfig : fromTuf; | ||
| } catch (IOException ex) { | ||
| throw new SigstoreConfigurationException( |
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could return defaultConfig if not null on error?
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and error may happen for other reasons that are issues with the tuf client. I would still like to fail if the error is unrelated to singingConfig missing from the repo.
And some other minor associated changes Signed-off-by: Appu Goundan <appu@google.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters