python-tuf icon indicating copy to clipboard operation
python-tuf copied to clipboard

Published 20 hours ago verified publisher icon theupdateframework

compatibility: sigstore metadata expiry is incompatible

Open jku opened this issue 3 years ago • 2 comments
trafficstars

https://github.com/sigstore/root-signing/blob/main/repository/repository/1.root.json

  • expiry contains microseconds
  • expiry contains a timezone offset

we don't consider this spec compliant and currently fail to load this metadata. Should file a bug on go-tuf I suppose?

In addition to this securesystemslib fails to load the ecdsa keys they use: #1859.

jku avatar Feb 11 '22 17:02 jku

cc @rdimitrov

jku avatar Feb 11 '22 17:02 jku

There's some discussion about this in a go-tuf issue https://github.com/theupdateframework/go-tuf/issues/136

joshuagl avatar Feb 12 '22 17:02 joshuagl

:pray: current sigstore metadata works with python-tuf-ngclient ( boostrap from 5.root.json only). Thanks Asra and others who worked on this!

Now would be a good time to start working on a compliance test suite...

jku avatar Oct 31 '22 08:10 jku