Upgrade tuf dependency (#1017)

jku · web-flow · commit 09da22b2a365 · 2024-05-14T08:52:22.000-04:00
diff --git a/pyproject.toml b/pyproject.toml
@@ -38,7 +38,7 @@ dependencies = [
   "sigstore-protobuf-specs ~= 0.3.2",
   # NOTE(ww): Under active development, so strictly pinned.
   "sigstore-rekor-types == 0.0.13",
-  "tuf ~= 4.0",
+  "tuf ~= 5.0",
   "platformdirs ~= 4.2",
 ]
 requires-python = ">=3.8"
diff --git a/sigstore/_internal/tuf.py b/sigstore/_internal/tuf.py
@@ -25,8 +25,9 @@
 
 import platformdirs
 from tuf.api import exceptions as TUFExceptions
-from tuf.ngclient import RequestsFetcher, Updater
+from tuf.ngclient import Updater, UpdaterConfig
 
+from sigstore import __version__
 from sigstore._utils import read_embedded
 from sigstore.errors import RootError, TUFError
 
@@ -36,18 +37,6 @@
 STAGING_TUF_URL = "https://tuf-repo-cdn.sigstage.dev"
 
 
-@lru_cache()
-def _get_fetcher() -> RequestsFetcher:
-    # NOTE: We poke into the underlying fetcher here to set a more reasonable timeout.
-    # The default timeout is 4 seconds, which can cause spurious timeout errors on
-    # CI systems like GitHub Actions (where traffic may be delayed/deprioritized due
-    # to network load).
-    fetcher = RequestsFetcher()
-    fetcher.socket_timeout = 30
-
-    return fetcher
-
-
 def _get_dirs(url: str) -> tuple[Path, Path]:
     """
     Given a TUF repository URL, return suitable local metadata and cache directories.
@@ -133,7 +122,7 @@ def __init__(self, url: str, offline: bool = False) -> None:
                 metadata_base_url=self._repo_url,
                 target_base_url=parse.urljoin(f"{self._repo_url}/", "targets/"),
                 target_dir=str(self._targets_dir),
-                fetcher=_get_fetcher(),
+                config=UpdaterConfig(app_user_agent=f"sigstore-python/{__version__}"),
             )
             try:
                 self._updater.refresh()
diff --git a/test/unit/conftest.py b/test/unit/conftest.py
@@ -33,6 +33,7 @@
 )
 from tuf.api.exceptions import DownloadHTTPError
 from tuf.ngclient import FetcherInterface
+from tuf.ngclient.updater import requests_fetcher
 
 from sigstore._internal import tuf
 from sigstore._internal.rekor import _hashedrekord_from_parts
@@ -225,7 +226,7 @@ def verify(self, cert):
 
 @pytest.fixture
 def mock_staging_tuf(monkeypatch, tuf_dirs):
-    """Mock that prevents tuf module from making requests: it returns staging
+    """Mock that prevents python-tuf from making requests: it returns staging
     assets from a local directory instead
 
     Return a tuple of dicts with the requested files and counts"""
@@ -244,7 +245,9 @@ def _fetch(self, url: str) -> Iterator[bytes]:
             failure[filename] += 1
             raise DownloadHTTPError("File not found", 404)
 
-    monkeypatch.setattr(tuf, "_get_fetcher", lambda: MockFetcher())
+    monkeypatch.setattr(
+        requests_fetcher, "RequestsFetcher", lambda app_user_agent: MockFetcher()
+    )
 
     return success, failure
 

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ dependencies = [`
`38`	`38`	`"sigstore-protobuf-specs ~= 0.3.2",`
`39`	`39`	`# NOTE(ww): Under active development, so strictly pinned.`
`40`	`40`	`"sigstore-rekor-types == 0.0.13",`
`41`		`- "tuf ~= 4.0",`
	`41`	`+ "tuf ~= 5.0",`
`42`	`42`	`"platformdirs ~= 4.2",`
`43`	`43`	`]`
`44`	`44`	`requires-python = ">=3.8"`