werf / trdl Goto Github PK

The universal solution for delivering your software updates securely from a trusted The Update Framework (TUF) repository.

Home Page: https://trdl.dev

License: Apache License 2.0

Go 94.61% Makefile 3.13% Shell 2.05% Batchfile 0.01% Dockerfile 0.19%

tuf security update werf continuous-delivery

trdl's Issues

Restriction on re-release

It is necessary to remove the possibility of restarting a successful release. However, such an opportunity should be for a failed/broken release.

Checking trusted GPG keys when adding

Site reorganization

Add Documentation section.
Move Quickstart, Security and Reference to Documentation.
Make Documentation/How it works from sections of the Home page.
Remove all sections except problems and benefits from the Home page.
Fix styles on the Home page.
Integrate How it works, Quickstart and Security into Documentation section.

Error: unable to init tuf client: unable to close from file local store: open .meta/002220.ldb: too many open files

Suddenly I've reproduced an error that brought me to the previous one #210.

Now every time I open new terminal I see the following error:

Error: unable to init tuf client: unable to close from file local store: open /Users/golovinps/.trdl/repositories/werf/.meta/002220.ldb: too many open files

What is the proper way of fixing that?

Confirm the release and the publication of release channels by a quorum of GPG signatures

Trdl client hanged when timeout has occured

First attempt to add trdl repo failed with timeout error:

$ curl -sSL https://werf.io/install.sh | bash -s -- --ci
[INPUT REQUIRED] Current login shell is "bash". Press ENTER to setup werf for this shell or choose another one.
[b]ash/[z]sh/[a]bort? Default: bash.
[INFO] Skipping trdl installation: already installed in "/home/gitlab-runner/bin/".
[INFO] Adding werf repo to trdl.
Error: unable to init repository "werf" client: unable to download "1.root.json": Get "https://tuf.werf.io/1.root.json": dial tcp 54.38.250.137:443: i/o timeout
[FATAL] Can't add "werf" repo to trdl.
[FATAL] Aborting.
Cleaning up project directory and file based variables
00:00
ERROR: Job failed: exit status 1

— this process has failed with the error, but there also was a spawned background process, which hanged:

gitlab-+  137033  0.0  0.0   7232  1264 ?        S    03:46   0:00 bash -l
gitlab-+  137036  0.0  0.0   7800  3608 ?        S    03:46   0:00  \_ bash -s -- --ci
gitlab-+  137198  0.0  0.1 719784 10448 ?        Sl   03:46   0:01      \_ /home/gitlab-runner/bin/trdl add werf https://tuf.werf.io/ 1 b7ff6bcbe598e072a86d595a3621924c8612c7e6dc6a82e919abe89707d7e3f468e616b5635630680dd1e98fc362ae5051728406700e6274c5ed1ad92bea52a2

— this process held a file lock.

Next tries to run install script with trdl will always fail with file-lock timeout:

$ curl -sSL https://werf.io/install.sh | bash -s -- --ci
[INPUT REQUIRED] Current login shell is "bash". Press ENTER to setup werf for this shell or choose another one.
[b]ash/[z]sh/[a]bort? Default: bash.
[INFO] Skipping trdl installation: already installed in "/home/gitlab-runner/bin/".
[INFO] Adding werf repo to trdl.
Error: "/home/gitlab-runner/.trdl/.locks/2d478ff12948954c4b93c051a64d7374ee343545587b7059d75d5497bc7f37dc" file lock timeout 30s expired
[FATAL] Can't add "werf" repo to trdl.
[FATAL] Aborting.
Cleaning up project directory and file based variables
00:00
ERROR: Job failed: exit status 1

It is required to manually kill hanged background process to make trdl work again.

Key expiration date monitoring

Release and versioning of the vault plugin along with the client

Translation of the article "Security"

Arbitrary path for storing trdl_channels.yaml

Recommended GPG quorum signature creation flow

The "Quickstart" section on the site

Proofreading and improving the home page

Prohibit adding the same trusted key twice

A user/attacker can add the same key several times and add the same signature as many times during release and publication.

The "Reference" section on the site

Making GPG signatures for release artifacts

openpgp: unsupported feature: public key type: 22

The golang.org/x/crypto/openpgp package does not implement OpenPGP fully. Some algorithms are not supported (e.g., ECC that is offered by default on Mac). This library is frozen and deprecated.

Let's look at actual forks and other alternatives.

rel golang/go#44226

Add favicon to the site trdl.dev

MacOS: Self-update failed: unable to update tuf meta: tuf: no root keys found in local meta store

Recently I've got an error which I didn't remember. It was something about "database" and "file limit exceeded". Those time I've just removed folder that was mentioned in the error. Then I reinstalled trdl and now I'm getting the following error:

➜  ~ source $("$HOME/bin/trdl" use werf "1.2" "stable")
Previous run of trdl update in background generated following errors:
WARNING: Self-update failed: unable to update tuf meta: tuf: no root keys found in local meta store

I've looked through the instructions on werf documentation and trdl as well, but didn't found any idea how to fix that.

May be I need to completely remove trdl with all tuf metas and then reinstall trdl. But I don't know all paths that I have to remove. May be uninstallation sequence mentioned somewhere in documentation and I have missed it?

I need your advice, guys. For now each time I open the Terminal I'm getting that warning, its a bit annoying.
Thank you!

P.S. I'm running on MacOS Intel.

Add Option for Specifying Different Metadata and Targets URLs

Currently there is no way to specify different metadata and target URLs for the same repository, this means that trdl can't handle repositories such as the Bottlerocket one. For reference this is how the same is handled in tuftool:

VERSION="v1.6.1"
VARIANT="vmware-k8s-1.24"
OVA="bottlerocket-${VARIANT}-x86_64-${VERSION}.ova"
OUTDIR="${VARIANT}-${VERSION}"

tuftool download "${OUTDIR}" --target-name "${OVA}" \
   --root ./root.json \
   --metadata-url "https://updates.bottlerocket.aws/2020-07-07/${VARIANT}/x86_64/" \
   --targets-url "https://updates.bottlerocket.aws/targets/"

$ echo 'export PATH=$HOME/bin:$PATH' >> ~/.bash_profile
$ export PATH="$HOME/bin:$PATH"
$ curl -L "https://tuf.trdl.dev/targets/releases/0.1.3/linux-$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')/bin/trdl" -o /tmp/trdl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   162  100   162    0     0    177      0 --:--:-- --:--:-- --:--:--   177
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
100 8028k  100 8028k    0     0  3935k      0  0:00:02  0:00:02 --:--:-- 9206k
$ mkdir -p ~/bin
$ install /tmp/trdl ~/bin/trdl
$ trdl add kubedog https://tuf.kubedog.werf.io 1 2cc56abdc649a9699074097ba60206f1299e43b320d6170c40eab552dcb940d9e813a8abf5893ff391d71f0a84b39111ffa6403a3e038b81634a40d29674a531
$ source $(trdl use kubedog 0 stable)
Error: unable to update tuf meta: tuf: failed to decode timestamp.json: expired at 2021-10-30 09:32:34 +0000 UTC
Cleaning up file based variables
00:00
ERROR: Job failed: command terminated with exit code 1

trdl use --no-update

Simple shell script to perform main server plugin operations

Write a simple shell script to perform release and publsih server operations:

Create task.
Wait until task finished.
Query task logs.

Redesign CLI

Divide commands into groups
Update layout of a command usage
Update command descriptions

$ source $(trdl use werf 1.2 beta)
Error: unable to init tuf client: unable to get meta from file local store: leveldb/table: corruption on data-block (pos=0): checksum mismatch, want=0xf6eefbb5 got=0xac0f3c59 [file=049347.ldb]
-bash: source: filename argument required
source: usage: source filename [arguments]

werf / trdl Goto Github PK

trdl's Issues

Recommend Projects

Recommend Topics

Recommend Org