Skip to content

Commit 42923ca

Browse files
authored
Merge pull request #371 from securesign/sync-upstream/main/v2.1.2
[Upstream Sync] Merge v2.1.2 into main
2 parents bc0193f + f020beb commit 42923ca

27 files changed

Lines changed: 907 additions & 460 deletions

.github/workflows/build-snapshot.yaml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -12,17 +12,17 @@ jobs:
1212

1313
runs-on: ubuntu-latest
1414
steps:
15-
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
15+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1616
with:
1717
persist-credentials: false
1818

19-
- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
19+
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
2020
with:
2121
go-version-file: './go.mod'
2222
check-latest: true
2323

24-
- uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
25-
- uses: anchore/sbom-action/download-syft@a930d0ac434e3182448fe678398ba5713717112a # v0.21.0
24+
- uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
25+
- uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
2626
- uses: imjasonh/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
2727

2828
- name: Set LDFLAGS
@@ -34,7 +34,7 @@ jobs:
3434
3535
- name: Run GoReleaser
3636
id: run-goreleaser
37-
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.2.1 # zizmor: ignore[cache-poisoning]
37+
uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v6.2.1 # zizmor: ignore[cache-poisoning]
3838
with:
3939
distribution: goreleaser-pro
4040
version: latest

.github/workflows/codeql_analysis.yaml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -40,18 +40,18 @@ jobs:
4040
language: [ 'go' ]
4141
steps:
4242
- name: Checkout repository
43-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
43+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
4444
with:
4545
persist-credentials: false
4646

47-
- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
47+
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
4848
with:
4949
go-version-file: './go.mod'
5050
check-latest: true
5151

5252
# Initializes the CodeQL tools for scanning.
5353
- name: Initialize CodeQL
54-
uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
54+
uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
5555
with:
5656
languages: ${{ matrix.language }}
5757
build-mode: manual
@@ -62,4 +62,4 @@ jobs:
6262
make all test
6363
6464
- name: Perform CodeQL Analysis
65-
uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
65+
uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0

.github/workflows/release.yaml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -20,18 +20,18 @@ jobs:
2020
hashes: ${{ steps.hash.outputs.hashes }}
2121
tag_name: ${{ steps.tag.outputs.tag_name }}
2222
steps:
23-
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
23+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2424
with:
2525
persist-credentials: false
2626

27-
- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
27+
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
2828
with:
2929
go-version-file: './go.mod'
3030
check-latest: true
3131
cache: false # avoid cache-poisoning attacks
3232

33-
- uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
34-
- uses: anchore/sbom-action/download-syft@a930d0ac434e3182448fe678398ba5713717112a # v0.21.0
33+
- uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
34+
- uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
3535
- uses: imjasonh/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
3636

3737
- name: Set LDFLAGS
@@ -43,7 +43,7 @@ jobs:
4343
4444
- name: Run GoReleaser
4545
id: run-goreleaser
46-
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
46+
uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
4747
with:
4848
distribution: goreleaser-pro
4949
version: latest

.github/workflows/scorecard.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ jobs:
3737
id-token: write
3838
steps:
3939
- name: "Checkout code"
40-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
40+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
4141
with:
4242
persist-credentials: false
4343

@@ -58,14 +58,14 @@ jobs:
5858
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
5959
# format to the repository Actions tab.
6060
- name: "Upload artifact"
61-
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
61+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
6262
with:
6363
name: SARIF file
6464
path: results.sarif
6565
retention-days: 5
6666

6767
# Upload the results to GitHub's code scanning dashboard.
6868
- name: "Upload to code-scanning"
69-
uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
69+
uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
7070
with:
7171
sarif_file: results.sarif

.github/workflows/tests.yaml

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -34,11 +34,11 @@ jobs:
3434
OS: ubuntu-latest
3535

3636
steps:
37-
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
37+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3838
with:
3939
persist-credentials: false
4040
# https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
41-
- uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
41+
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
4242
with:
4343
# In order:
4444
# * Module download cache
@@ -51,7 +51,7 @@ jobs:
5151
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
5252
restore-keys: |
5353
${{ runner.os }}-go-
54-
- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
54+
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
5555
with:
5656
go-version-file: './go.mod'
5757
check-latest: true
@@ -60,7 +60,7 @@ jobs:
6060
- name: Run Go tests
6161
run: go test -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/)
6262
- name: Upload Coverage Report
63-
uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
63+
uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
6464
with:
6565
env_vars: OS
6666
- name: Run Go tests w/ `-race`
@@ -73,10 +73,10 @@ jobs:
7373
permissions:
7474
contents: read
7575
steps:
76-
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
76+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
7777
with:
7878
persist-credentials: false
79-
- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
79+
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
8080
with:
8181
go-version-file: './go.mod'
8282
check-latest: true
@@ -93,16 +93,16 @@ jobs:
9393
permissions:
9494
contents: read
9595
steps:
96-
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
96+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
9797
with:
9898
persist-credentials: false
99-
- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
99+
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
100100
with:
101101
go-version-file: './go.mod'
102102
check-latest: true
103103

104104
- name: golangci-lint
105-
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
105+
uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1
106106
with:
107107
version: v2.6
108108
args: --timeout=10m --verbose
@@ -113,10 +113,10 @@ jobs:
113113
permissions:
114114
contents: read
115115
steps:
116-
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
116+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
117117
with:
118118
persist-credentials: false
119-
- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
119+
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
120120
with:
121121
go-version-file: './go.mod'
122122
check-latest: true

CHANGELOG.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,20 @@
1+
# v2.0.5
2+
3+
This release updates the chi middleware to resolve a panic.
4+
5+
## Bug Fixes
6+
7+
* Upgrade chi middleware v4 -> v5 (#1307)
8+
9+
## Docs
10+
11+
* Update the semantics of the NTP monitoring so its clear in the README (#1276)
12+
* docs: note that CRL/OCSP checks are not performed (#1277)
13+
14+
## Misc
15+
16+
* Increase default HTTP idle timeout (#1287)
17+
118
# v2.0.4
219

320
Only contains dependency updates, but fixes #1252 due to breaking API change in sigstore/sigstore

Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
# See the License for the specific language governing permissions and
1313
# limitations under the License.
1414

15-
FROM golang:1.25.5@sha256:8bbd14091f2c61916134fa6aeb8f76b18693fcb29a39ec6d8be9242c0a7e9260 AS builder
15+
FROM golang:1.26.3@sha256:2d6c80227255c3112a4d08e67ba98e58efd3846daf15d9d7d4c389565d881b1a AS builder
1616
ENV APP_ROOT=/opt/app-root
1717
ENV GOPATH=$APP_ROOT
1818

@@ -36,7 +36,7 @@ RUN go install github.com/go-delve/delve/cmd/dlv@v1.9.0
3636
COPY --from=builder /opt/app-root/src/timestamp-server_debug /usr/local/bin/timestamp-server
3737

3838
# Multi-Stage production build
39-
FROM golang:1.25.5@sha256:8bbd14091f2c61916134fa6aeb8f76b18693fcb29a39ec6d8be9242c0a7e9260 AS deploy
39+
FROM golang:1.26.3@sha256:2d6c80227255c3112a4d08e67ba98e58efd3846daf15d9d7d4c389565d881b1a AS deploy
4040

4141
# Retrieve the binary from the previous stage
4242
COPY --from=builder /opt/app-root/src/timestamp-server /usr/local/bin/timestamp-server

README.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -256,6 +256,17 @@ To run the TSA, set `--timestamp-signer=tink`, `--tink-key-resource=<path-to-kms
256256
`--tink-keyset-path=enc-keyset.cfg`. The key resource should be prefixed with either `gcp-kms://`, `aws-kms://`, or `hcvault://`.
257257
If using Vault, you may also set `--tink-hcvault-token`. Provide the path to the chain with `--certificate-chain-path`.
258258

259+
## Time accuracy and monitoring
260+
261+
The service can be configured to monitor the time from other trusted NTP
262+
sources and compare with the host's time. If too few NTP servers
263+
respond, or the time difference is greater than the current configured
264+
threshold, the metric `timestamp_authority_ntp_errors_total` is
265+
incremented. Note that the service does _not stop issuing
266+
timestamps_. It's up to the operator to configure necessary controls to
267+
prevent issuing timestamps when the time drift is greater than what's
268+
stated in the timestamping policy.
269+
259270
## Security
260271
261272
Should you discover any security issues, please refer to Sigstore's [security

cmd/timestamp-server/app/root.go

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,9 @@ package app
1818
import (
1919
"fmt"
2020
"os"
21+
"time"
2122

22-
"github.com/go-chi/chi/middleware"
23+
"github.com/go-chi/chi/v5/middleware"
2324
homedir "github.com/mitchellh/go-homedir"
2425
"github.com/sigstore/timestamp-authority/v2/pkg/log"
2526
"github.com/spf13/cobra"
@@ -83,6 +84,11 @@ func init() {
8384

8485
rootCmd.PersistentFlags().String("http-request-id-header-name", middleware.RequestIDHeader, "name of HTTP Request Header to use as request correlation ID")
8586
rootCmd.PersistentFlags().Uint64("max-request-body-size", 1048576, "Maximum allowed size for request bodies in bytes (1MB by default)")
87+
rootCmd.PersistentFlags().Duration("cleanup-timeout", 620*time.Second, "grace period for which to wait before killing idle connections")
88+
89+
rootCmd.PersistentFlags().String("default-policy-oid", "1.3.6.1.4.1.57264.2", "Default policy OID to use if none is specified in the request")
90+
rootCmd.PersistentFlags().StringSlice("accepted-policy-oids", []string{"1.3.6.1.4.1.57264.2"}, "List of policy OIDs accepted in timestamp requests")
91+
rootCmd.PersistentFlags().Bool("allow-custom-extensions", false, "Whether to allow and copy custom request extensions into the signed timestamp")
8692

8793
if err := viper.BindPFlags(rootCmd.PersistentFlags()); err != nil {
8894
log.Logger.Fatal(err)

cmd/timestamp-server/app/serve.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ import (
1919
"flag"
2020
"net/http"
2121

22-
"github.com/go-chi/chi/middleware"
22+
"github.com/go-chi/chi/v5/middleware"
2323
"github.com/spf13/cobra"
2424
"github.com/spf13/viper"
2525
"sigs.k8s.io/release-utils/version"
@@ -56,6 +56,7 @@ var serveCmd = &cobra.Command{
5656

5757
readTimeout := viper.GetDuration("read-timeout")
5858
writeTimeout := viper.GetDuration("write-timeout")
59+
cleanupTimeout := viper.GetDuration("cleanup-timeout")
5960

6061
go func() {
6162
promServer := server.NewPrometheusServer(readTimeout, writeTimeout)
@@ -105,6 +106,7 @@ var serveCmd = &cobra.Command{
105106
port := int(viper.GetUint("port"))
106107
scheme := viper.GetStringSlice("scheme")
107108
server := server.NewRestAPIServer(host, port, scheme, httpPingOnly, readTimeout, writeTimeout)
109+
server.CleanupTimeout = cleanupTimeout
108110
defer func() {
109111
if err := server.Shutdown(); err != nil {
110112
log.Logger.Error(err)

0 commit comments

Comments
 (0)