Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove deprecated CLI/API arguments and legacy securesystemslib integration #739

Merged
merged 17 commits into from
May 9, 2024
Merged

Remove deprecated CLI/API arguments and legacy securesystemslib integration #739

merged 17 commits into from
May 9, 2024

Conversation

lukpueh
Copy link
Member

@lukpueh lukpueh commented Apr 30, 2024

Fixes #697

This PR removes deprecated CLI and API arguments related to signature creation and verification. See deprecation and replacement note v2.2.0 release notes for details.

Docs and tests are updated accordingly.

I suggest to review commit by commit, and maybe skim test changes (coverage remains the same.

Nice side-effects are:

  • legacy securesystemslib integration is removed
  • pynacl optional dependency is removed
  • test speed increases significantly (~10s instead of ~40s)

lukpueh added 14 commits April 30, 2024 17:08
@lukpueh
doc: update signing and verification key rtd docs
292ec12 
Replace docs related to deprecated key interfaces with up-to-date docs.

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
doc: use new key args in cli docs
c7a905b 
Rewrite cli docs to use:
- signing-key instead of key and key-type
- verification-keys instead of layout-keys

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
test: remove unnecessary keygen in validation test
deedd01 
Key generation is costly and the used interface is deprecated. Mocking
the test data is good enough.

This commit also removes redundant and unrelated tests.

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
test: remove legacy verification key arg tests
4a44313 
Remove in-toto-verify cli tests related to the deprecated --layout-keys
argument. Similar tests, which use the replacement argument
--verification-key, have been added previously (see
TestInTotoVerifySubjectPublicKeyInfoKeys).

A few missing test cases are ported.

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
test: refactor TestSigner to use in-memory test keys
5dc1935 
Use in-memory test key store instead of loading them from file. This is
faster and does not require deprecated key file loading functions.

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
test: remove legacy signing key arg tests
693e604 
Remove or replace in-toto-sign and in-toto-record cli tests related to
the the deprecated --key argument, and runlib tests related to the
deprecated signing_key argument.

Similar tests, which use the replacement --signing-key (cli) or signer
(runlib) argument have been added previously.

A few missing test cases are ported.

The commit also switches to the in-memory test key store, instead of
loading keys from files.

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
test: remove obsolete key generation mixin
9ad57c6 
Tests use an in-memory test key store now, which is populated from key
files only once. This increases test speed significantly, compared to
generating keys on the fly, and doesn't need any deprecated key
interfaces.

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
test: remove legacy test key files
90a5a47 
Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
Remove legacy verification key arg in cli
df71f7c 
Removes --layout-keys and the related --key-types in favor of
--verification-keys.

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
Remove legacy signing key arg in cli and runlib
db7aa0c 
Removes --key and the related --key-type in favor of --signing-key
(cli), and removes signing_key argument in favor of signer (runlib).

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
Remove deprecated Metadata.sign method
c0b5b3e 
Removes Metadata.sign in favor of the replacement create_signature
method..

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
Remove unused signing key format validator
ca8f5bd 
Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
Remove unused import in layout.py
3873d5b 
Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
dep: remove obsolete optional pynacl dependency
8eae1a4 
securesystemslib no longer requires pynacl for ed25519 keys, instead
pyca/cryptography can be used for all supported key types.

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh lukpueh force-pushed the adopt-sslib-legacy-removal branch from fec4bb7 to 8eae1a4 Compare April 30, 2024 15:08
@lukpueh
Copy link
Member Author

lukpueh commented Apr 30, 2024

test failures in sslib main are expected an will be addressed in a separate PR

@lukpueh lukpueh mentioned this pull request Apr 30, 2024
Merged
@lukpueh
Remove unused constants form securesystemslib
6c5beb0 
These constants will no longer exist in securesystemslib 1.0.0.

Signed-off-by: Lukas Puehringer <[email protected]>
@adityasaky adityasaky self-requested a review May 2, 2024 14:27
adityasaky
adityasaky reviewed May 3, 2024
View reviewed changes
Copy link
Member

@adityasaky adityasaky left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't take the most detailed pass at this, but this looks good to me, minus some questions about versioning. If this is going to be a "breaking change" release (edit: I see from the last release notes that we call out a major release), maybe we can preserve some of the CLI arg names. --layout-keys, to me, is a lot clearer than --verification-keys, for example.

doc/source/api.rst Outdated Show resolved Hide resolved
doc/source/api.rst Show resolved Hide resolved
tests/test_in_toto_verify.py Show resolved Hide resolved
@lukpueh
Copy link
Member Author

lukpueh commented May 6, 2024

If this is going to be a "breaking change" release, maybe we can preserve some of the CLI arg names. --layout-keys, to me, is a lot clearer than --verification-keys, for example.

Yes, we could. Though, it would surely upset users, who "migrated" from --layout-keys to --verification-keys, after the last release. Now the'll have to half-migrate back.

IMO having a new different successor arg name, instead of repurposing the existing one, is a more transparent API break.

@adityasaky
Copy link
Member

Seems reasonable! I'll take another pass later today, sorry for the multiple go-s at this. :)

adityasaky
adityasaky approved these changes May 8, 2024
View reviewed changes
in_toto/common_args.py Outdated Show resolved Hide resolved
@lukpueh @adityasaky
Update in_toto/common_args.py
66bac2c 
Co-authored-by: Aditya Sirish <[email protected]>
Signed-off-by: Lukas Pühringer <[email protected]>
@lukpueh
Copy link
Member Author

lukpueh commented May 9, 2024

test failures in sslib main are expected an will be addressed in a separate PR

this is still true. merging...

@lukpueh lukpueh merged commit b9b3fc1 into in-toto:develop May 9, 2024
15 of 16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adityasaky adityasaky adityasaky approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Drop legacy securesystemslib integration
2 participants
@lukpueh @adityasaky