diff --git a/rhtas/tuf-repo-init.sh b/rhtas/tuf-repo-init.sh index fb36cdd5..97d244ed 100755 --- a/rhtas/tuf-repo-init.sh +++ b/rhtas/tuf-repo-init.sh @@ -44,6 +44,15 @@ Options: --metadata-expiration Tuftool-compatible tetadata expiration time; defaults to 56 weeks + + --operator + Operator name for signing config services; defaults to "rhtas" + + --organization + Organization name in certificate authority subjects; defaults to "rhtas" + + --common-name + Common name in certificate authority subjects; defaults to "rhtas" EOF } @@ -59,6 +68,9 @@ export TSA_URI="" export CTLOG_URI="" export REKOR_URI="" export METADATA_EXPIRATION="in 52 weeks" +export OPERATOR="rhtas" +export ORGANIZATION="rhtas" +export COMMON_NAME="rhtas" while [[ $# -gt 0 ]]; do case $1 in @@ -122,6 +134,21 @@ while [[ $# -gt 0 ]]; do shift shift ;; + --operator) + OPERATOR="$2" + shift + shift + ;; + --organization) + ORGANIZATION="$2" + shift + shift + ;; + --common-name) + COMMON_NAME="$2" + shift + shift + ;; -*) echo "Unknown option $1" exit 1 @@ -216,6 +243,9 @@ if [ -n "${FULCIO_CERT}" ]; then --set-fulcio-target "${FULCIO_CERT}" \ --fulcio-uri "${FULCIO_URI}" \ --oidc-uri "${OIDC_URI}" \ + --operator "${OPERATOR}" \ + --organization "${ORGANIZATION}" \ + --common-name "${COMMON_NAME}" \ --targets-expires "${METADATA_EXPIRATION}" \ --targets-version 1 \ --snapshot-expires "${METADATA_EXPIRATION}" \ @@ -237,6 +267,9 @@ if [ -n "${TSA_CERT}" ]; then --key "${KEYDIR}/timestamp.pem" \ --set-tsa-target "${TSA_CERT}" \ --tsa-uri "${TSA_URI}" \ + --operator "${OPERATOR}" \ + --organization "${ORGANIZATION}" \ + --common-name "${COMMON_NAME}" \ --targets-expires "${METADATA_EXPIRATION}" \ --targets-version 1 \ --snapshot-expires "${METADATA_EXPIRATION}" \ @@ -258,6 +291,9 @@ if [ -n "${CTLOG_KEY}" ]; then --key "${KEYDIR}/timestamp.pem" \ --set-ctlog-target "${CTLOG_KEY}" \ --ctlog-uri "${CTLOG_URI}" \ + --operator "${OPERATOR}" \ + --organization "${ORGANIZATION}" \ + --common-name "${COMMON_NAME}" \ --targets-expires "${METADATA_EXPIRATION}" \ --targets-version 1 \ --snapshot-expires "${METADATA_EXPIRATION}" \ @@ -279,6 +315,9 @@ if [ -n "${REKOR_KEY}" ]; then --key "${KEYDIR}/timestamp.pem" \ --set-rekor-target "${REKOR_KEY}" \ --rekor-uri "${REKOR_URI}" \ + --operator "${OPERATOR}" \ + --organization "${ORGANIZATION}" \ + --common-name "${COMMON_NAME}" \ --targets-expires "${METADATA_EXPIRATION}" \ --targets-version 1 \ --snapshot-expires "${METADATA_EXPIRATION}" \ diff --git a/tuftool/src/rhtas.rs b/tuftool/src/rhtas.rs index 38728362..2b75760a 100644 --- a/tuftool/src/rhtas.rs +++ b/tuftool/src/rhtas.rs @@ -152,6 +152,18 @@ pub(crate) struct RhtasArgs { #[arg(long)] tsa_uri: Option, + /// Operator name for the signing config services + #[arg(long, default_value = "sigstore.dev")] + operator: String, + + /// Organization name used in certificate authority subjects + #[arg(long, default_value = "sigstore.dev")] + organization: String, + + /// Common name used in certificate authority subjects + #[arg(long, default_value = "sigstore")] + common_name: String, + /// Expiration of targets.json file; can be in full RFC 3339 format, or something like 'in /// 7 days' #[arg(long, value_parser = parse_datetime)] @@ -694,13 +706,13 @@ impl RhtasArgs { let new_ca = CertificateAuthority { subject: Some(DistinguishedName { - organization: "sigstore.dev".to_string(), - common_name: "sigstore".to_string(), + organization: self.organization.clone(), + common_name: self.common_name.clone(), }), uri: self.fulcio_uri.clone().unwrap(), cert_chain: Some(X509CertificateChain { certificates }), valid_for: valid_for.clone(), - operator: String::new(), + operator: self.operator.clone(), }; match trust_bundle @@ -716,7 +728,7 @@ impl RhtasArgs { if let Err(e) = trust_bundle.add_oidc_url_to_signing_config( oidc_uri.clone(), valid_for, - "sigstore.dev".to_string(), + self.operator.clone(), ) { eprintln!("Failed to add OIDC URL to signing_config: {e:?}"); } @@ -798,7 +810,7 @@ impl RhtasArgs { }), log_id: Some(LogId { key_id }), checkpoint_key_id: None, - operator: String::new(), + operator: self.operator.clone(), }; match trust_bundle.set_target(TargetType::Log(new_ctlog), Target::Ctlog) { @@ -884,7 +896,7 @@ impl RhtasArgs { }), log_id: Some(LogId { key_id }), checkpoint_key_id: None, - operator: String::new(), + operator: self.operator.clone(), }; match trust_bundle.set_target(TargetType::Log(new_tlog), Target::Tlog) { @@ -955,13 +967,13 @@ impl RhtasArgs { let new_tsa = CertificateAuthority { subject: Some(DistinguishedName { - organization: "sigstore.dev".to_string(), - common_name: "sigstore".to_string(), + organization: self.organization.clone(), + common_name: self.common_name.clone(), }), uri: self.tsa_uri.clone().unwrap(), cert_chain: Some(X509CertificateChain { certificates }), valid_for: Some(TimeRange { start, end }), - operator: String::new(), + operator: self.operator.clone(), }; match trust_bundle