Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

compatibility issue with root-signing TUF metadata #369

Closed
jku opened this issue May 31, 2024 · 6 comments
Closed

compatibility issue with root-signing TUF metadata #369

jku opened this issue May 31, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@jku
Copy link
Member

jku commented May 31, 2024
edited
Loading

@tnytown found some compatibility issues with root-signing-staging during #354:

  1. keyids were accidentally non-compliant: this concerns root-signing-staging only and will be fixed there, hopefully next week (sigstore-rs needs to initialize with the fixed root.json at that point, sorry about that)
  2. it turns out that awslabs/tough does not support METAFILEs without hashes and length in TUF metadata: they are optional in the specification. Current root-signing-staging metadata does not include these optional items but because awslabs/tough requires them sigstore-rs will not work with root-signing-staging even after the previous issue is fixed

This issue is about the second item above: . Some more context:

  • I maintain tuf-on-ci, the tool that is used to produce the root-signing-staging repository
  • The plan is to start maintaining the production root-signing repo with the same tool: this means sigstore-rs will have the same issue with production infra soon
  • I was not planning on including hashes and length in the metadata in the future but I am willing to discuss...
  • I imagine adding support for optional hashes and length into awslabs/tough client is not an unreasonable amount of work
@jku jku added the bug Something isn't working label May 31, 2024
This was referenced May 31, 2024
Closed
Open
@tnytown
Copy link
Contributor

tnytown commented Jun 17, 2024

@flavio any ideas on what path we should take going forward? This change is imminent and will break sigstore-rs' TUF code.

@tnytown
Copy link
Contributor

tnytown commented Jun 24, 2024
edited
Loading

I made an attempt at switching to rust-tuf and encountered a different issue: theupdateframework/rust-tuf#408

Trail of Bits is out of time on sigstore-rs, so I won't be taking this on in the short term.

@flavio
Copy link
Member

flavio commented Jun 28, 2024

Sorry, I was swamped during the last weeks. I'm going to look into that.

@flavio
Copy link
Member

flavio commented Jun 28, 2024

@jku I've run into the keyid issue you reported. Please ping me once the staging repo is fixed 🙏

Thanks again for this heads up!

@flavio flavio mentioned this issue Jun 28, 2024
Closed
@jku
Copy link
Member Author

jku commented Aug 20, 2024

This wasn't updated since June so it's clearly time:

  • the keyid issue was fixed in root-signing-staging in july
  • there is still an upcoming compatibility issue with root-signing

@flavio
Copy link
Member

flavio commented Sep 17, 2024

We can close it, sigstore-rs 0.10.0 has all the fixes we need 🥳

@flavio flavio closed this as completed Sep 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@flavio @jku @tnytown