From f578e08fe08daa916a2e920919172a5d409bcd57 Mon Sep 17 00:00:00 2001 From: SequeI Date: Wed, 8 Apr 2026 09:07:02 +0100 Subject: [PATCH 1/2] feat: make operator configurable Signed-off-by: SequeI --- rhtas/tuf-repo-init.sh | 13 +++++++++++++ tuftool/src/rhtas.rs | 22 +++++++++++++--------- 2 files changed, 26 insertions(+), 9 deletions(-) diff --git a/rhtas/tuf-repo-init.sh b/rhtas/tuf-repo-init.sh index fb36cdd5..28cad128 100755 --- a/rhtas/tuf-repo-init.sh +++ b/rhtas/tuf-repo-init.sh @@ -44,6 +44,9 @@ Options: --metadata-expiration Tuftool-compatible tetadata expiration time; defaults to 56 weeks + + --operator + Operator name for signing config services; defaults to "rhtas" EOF } @@ -59,6 +62,7 @@ export TSA_URI="" export CTLOG_URI="" export REKOR_URI="" export METADATA_EXPIRATION="in 52 weeks" +export OPERATOR="rhtas" while [[ $# -gt 0 ]]; do case $1 in @@ -122,6 +126,11 @@ while [[ $# -gt 0 ]]; do shift shift ;; + --operator) + OPERATOR="$2" + shift + shift + ;; -*) echo "Unknown option $1" exit 1 @@ -216,6 +225,7 @@ if [ -n "${FULCIO_CERT}" ]; then --set-fulcio-target "${FULCIO_CERT}" \ --fulcio-uri "${FULCIO_URI}" \ --oidc-uri "${OIDC_URI}" \ + --operator "${OPERATOR}" \ --targets-expires "${METADATA_EXPIRATION}" \ --targets-version 1 \ --snapshot-expires "${METADATA_EXPIRATION}" \ @@ -237,6 +247,7 @@ if [ -n "${TSA_CERT}" ]; then --key "${KEYDIR}/timestamp.pem" \ --set-tsa-target "${TSA_CERT}" \ --tsa-uri "${TSA_URI}" \ + --operator "${OPERATOR}" \ --targets-expires "${METADATA_EXPIRATION}" \ --targets-version 1 \ --snapshot-expires "${METADATA_EXPIRATION}" \ @@ -258,6 +269,7 @@ if [ -n "${CTLOG_KEY}" ]; then --key "${KEYDIR}/timestamp.pem" \ --set-ctlog-target "${CTLOG_KEY}" \ --ctlog-uri "${CTLOG_URI}" \ + --operator "${OPERATOR}" \ --targets-expires "${METADATA_EXPIRATION}" \ --targets-version 1 \ --snapshot-expires "${METADATA_EXPIRATION}" \ @@ -279,6 +291,7 @@ if [ -n "${REKOR_KEY}" ]; then --key "${KEYDIR}/timestamp.pem" \ --set-rekor-target "${REKOR_KEY}" \ --rekor-uri "${REKOR_URI}" \ + --operator "${OPERATOR}" \ --targets-expires "${METADATA_EXPIRATION}" \ --targets-version 1 \ --snapshot-expires "${METADATA_EXPIRATION}" \ diff --git a/tuftool/src/rhtas.rs b/tuftool/src/rhtas.rs index 38728362..17960241 100644 --- a/tuftool/src/rhtas.rs +++ b/tuftool/src/rhtas.rs @@ -152,6 +152,10 @@ pub(crate) struct RhtasArgs { #[arg(long)] tsa_uri: Option, + /// Operator name for the signing config services + #[arg(long, default_value = "sigstore.dev")] + operator: String, + /// Expiration of targets.json file; can be in full RFC 3339 format, or something like 'in /// 7 days' #[arg(long, value_parser = parse_datetime)] @@ -694,13 +698,13 @@ impl RhtasArgs { let new_ca = CertificateAuthority { subject: Some(DistinguishedName { - organization: "sigstore.dev".to_string(), - common_name: "sigstore".to_string(), + organization: self.operator.clone(), + common_name: self.operator.clone(), }), uri: self.fulcio_uri.clone().unwrap(), cert_chain: Some(X509CertificateChain { certificates }), valid_for: valid_for.clone(), - operator: String::new(), + operator: self.operator.clone(), }; match trust_bundle @@ -716,7 +720,7 @@ impl RhtasArgs { if let Err(e) = trust_bundle.add_oidc_url_to_signing_config( oidc_uri.clone(), valid_for, - "sigstore.dev".to_string(), + self.operator.clone(), ) { eprintln!("Failed to add OIDC URL to signing_config: {e:?}"); } @@ -798,7 +802,7 @@ impl RhtasArgs { }), log_id: Some(LogId { key_id }), checkpoint_key_id: None, - operator: String::new(), + operator: self.operator.clone(), }; match trust_bundle.set_target(TargetType::Log(new_ctlog), Target::Ctlog) { @@ -884,7 +888,7 @@ impl RhtasArgs { }), log_id: Some(LogId { key_id }), checkpoint_key_id: None, - operator: String::new(), + operator: self.operator.clone(), }; match trust_bundle.set_target(TargetType::Log(new_tlog), Target::Tlog) { @@ -955,13 +959,13 @@ impl RhtasArgs { let new_tsa = CertificateAuthority { subject: Some(DistinguishedName { - organization: "sigstore.dev".to_string(), - common_name: "sigstore".to_string(), + organization: self.operator.clone(), + common_name: self.operator.clone(), }), uri: self.tsa_uri.clone().unwrap(), cert_chain: Some(X509CertificateChain { certificates }), valid_for: Some(TimeRange { start, end }), - operator: String::new(), + operator: self.operator.clone(), }; match trust_bundle From 989052e47c350a4ece1a8c832afddce44b2fad1a Mon Sep 17 00:00:00 2001 From: SequeI Date: Wed, 8 Apr 2026 09:28:06 +0100 Subject: [PATCH 2/2] feat: make ca configurable Signed-off-by: SequeI --- rhtas/tuf-repo-init.sh | 26 ++++++++++++++++++++++++++ tuftool/src/rhtas.rs | 16 ++++++++++++---- 2 files changed, 38 insertions(+), 4 deletions(-) diff --git a/rhtas/tuf-repo-init.sh b/rhtas/tuf-repo-init.sh index 28cad128..97d244ed 100755 --- a/rhtas/tuf-repo-init.sh +++ b/rhtas/tuf-repo-init.sh @@ -47,6 +47,12 @@ Options: --operator Operator name for signing config services; defaults to "rhtas" + + --organization + Organization name in certificate authority subjects; defaults to "rhtas" + + --common-name + Common name in certificate authority subjects; defaults to "rhtas" EOF } @@ -63,6 +69,8 @@ export CTLOG_URI="" export REKOR_URI="" export METADATA_EXPIRATION="in 52 weeks" export OPERATOR="rhtas" +export ORGANIZATION="rhtas" +export COMMON_NAME="rhtas" while [[ $# -gt 0 ]]; do case $1 in @@ -131,6 +139,16 @@ while [[ $# -gt 0 ]]; do shift shift ;; + --organization) + ORGANIZATION="$2" + shift + shift + ;; + --common-name) + COMMON_NAME="$2" + shift + shift + ;; -*) echo "Unknown option $1" exit 1 @@ -226,6 +244,8 @@ if [ -n "${FULCIO_CERT}" ]; then --fulcio-uri "${FULCIO_URI}" \ --oidc-uri "${OIDC_URI}" \ --operator "${OPERATOR}" \ + --organization "${ORGANIZATION}" \ + --common-name "${COMMON_NAME}" \ --targets-expires "${METADATA_EXPIRATION}" \ --targets-version 1 \ --snapshot-expires "${METADATA_EXPIRATION}" \ @@ -248,6 +268,8 @@ if [ -n "${TSA_CERT}" ]; then --set-tsa-target "${TSA_CERT}" \ --tsa-uri "${TSA_URI}" \ --operator "${OPERATOR}" \ + --organization "${ORGANIZATION}" \ + --common-name "${COMMON_NAME}" \ --targets-expires "${METADATA_EXPIRATION}" \ --targets-version 1 \ --snapshot-expires "${METADATA_EXPIRATION}" \ @@ -270,6 +292,8 @@ if [ -n "${CTLOG_KEY}" ]; then --set-ctlog-target "${CTLOG_KEY}" \ --ctlog-uri "${CTLOG_URI}" \ --operator "${OPERATOR}" \ + --organization "${ORGANIZATION}" \ + --common-name "${COMMON_NAME}" \ --targets-expires "${METADATA_EXPIRATION}" \ --targets-version 1 \ --snapshot-expires "${METADATA_EXPIRATION}" \ @@ -292,6 +316,8 @@ if [ -n "${REKOR_KEY}" ]; then --set-rekor-target "${REKOR_KEY}" \ --rekor-uri "${REKOR_URI}" \ --operator "${OPERATOR}" \ + --organization "${ORGANIZATION}" \ + --common-name "${COMMON_NAME}" \ --targets-expires "${METADATA_EXPIRATION}" \ --targets-version 1 \ --snapshot-expires "${METADATA_EXPIRATION}" \ diff --git a/tuftool/src/rhtas.rs b/tuftool/src/rhtas.rs index 17960241..2b75760a 100644 --- a/tuftool/src/rhtas.rs +++ b/tuftool/src/rhtas.rs @@ -156,6 +156,14 @@ pub(crate) struct RhtasArgs { #[arg(long, default_value = "sigstore.dev")] operator: String, + /// Organization name used in certificate authority subjects + #[arg(long, default_value = "sigstore.dev")] + organization: String, + + /// Common name used in certificate authority subjects + #[arg(long, default_value = "sigstore")] + common_name: String, + /// Expiration of targets.json file; can be in full RFC 3339 format, or something like 'in /// 7 days' #[arg(long, value_parser = parse_datetime)] @@ -698,8 +706,8 @@ impl RhtasArgs { let new_ca = CertificateAuthority { subject: Some(DistinguishedName { - organization: self.operator.clone(), - common_name: self.operator.clone(), + organization: self.organization.clone(), + common_name: self.common_name.clone(), }), uri: self.fulcio_uri.clone().unwrap(), cert_chain: Some(X509CertificateChain { certificates }), @@ -959,8 +967,8 @@ impl RhtasArgs { let new_tsa = CertificateAuthority { subject: Some(DistinguishedName { - organization: self.operator.clone(), - common_name: self.operator.clone(), + organization: self.organization.clone(), + common_name: self.common_name.clone(), }), uri: self.tsa_uri.clone().unwrap(), cert_chain: Some(X509CertificateChain { certificates }),