siguldry/lib.rs
1// SPDX-License-Identifier: MIT
2// Copyright (c) Microsoft Corporation.
3
4/*!
5# Siguldry
6
7Siguldry is (currently) an experimental replacement for Fedora's software signing service,
8[Sigul][1]. It is heavily inspired by Sigul, but includes a few protocol changes based on how
9Sigul is currently used in Fedora, which is significantly different from how it was originally
10envisioned when Sigul was designed.
11
12The key differences are that unlike Sigul, all client-server communication happens in the nested TLS
13session, and as such, it is no longer possible to mix traffic to the inner and outer TLS sessions:
14after the protocol header is sent to the bridge, all traffic must be sent via the inner session.
15
16In addition to the protocol level change, Siguldry also supports a slightly different set of
17commands.
18
19## Components
20
21The service includes three components. The first part, the server, is responsible for keeping the
22signing keys safe and for servicing client requests for signatures. The server is designed such
23that the host firewall can drop all incoming traffic (assuming there's out-of-band management
24available). It does this by connecting to the second component, the bridge.
25
26The bridge is a proxy. It accepts connections from servers and clients, which are both
27authenticated using mutual TLS certificates, and then ferries client and server traffic between the
28two connections. This ensures only clients with valid TLS certificates can even initialize a
29connection to the server.
30
31The final component is the client which lets users request signatures from the server. It is
32intended to be used in a larger application which handles content-specific details, like extracting
33RPM package headers for signing.
34
35Additionally, this crate provides a legacy [Sigul][1] client that is compatible with version
361.2+.
37
38<div class="warning">This crate is still under active development and there will be several more
39rounds API-breaking changes before a 1.0 release is made.</div>
40
41## Crate features
42
43By default, the server, bridge, and client for Siguldry along with their CLIs is built.
44
45* **cli** -
46 Include the experimental Siguldry CLIs. This is a default feature.
47
48* **server** -
49 Include the experimental Siguldry server APIs. This is a default feature.
50
51* **sigul-client** -
52 Include the client compatible with Sigul 1.2. This is not enabled by default.
53
54[1]: https://pagure.io/sigul
55*/
56
57#[cfg(feature = "sigul-client")]
58mod serdes;
59#[cfg(feature = "sigul-client")]
60pub mod v1;
61
62pub mod bridge;
63pub mod client;
64pub mod config;
65pub mod error;
66pub(crate) mod nestls;
67pub mod protocol;
68#[cfg(feature = "server")]
69pub mod server;