root-signing icon indicating copy to clipboard operation
root-signing copied to clipboard
verified publisher icon sigstore

future root-signing metadata may not be compatible with current sigstore-rs

Open jku opened this issue 1 year ago • 2 comments

This is something that came up during staging testing: sigstore-rs is not compatible with root-signing-staging, and will not be compatible with root-signing if we proceed with #929 without changes.

  • Current root-signing metadata contains metadata hashes and lengths, but tuf-on-ci produces metadata that does not contain them
  • both variants are spec compliant
  • awslabs/tough used by sigstore-rs does not currently support the tuf-on-ci produced metadata
  • sigstore-rs is experimental and does not have releases so was not included in the root-signing staging test matrix so the issue was not noticed earlier
  • there is a related compatibility problem with keyids: this is not an issue in root-signing and will be fixed in root-signing-staging

I'm filing this so we can decide whether this is a blocker for #929 or not. I would suggest it's not a blocker:

  • the tuf-on-ci metadata is compliant wrt hashes and lengths
  • adding support for this in the client (awslabs/tough) should not be a major issue

That said, tuf-on-ci could start embedding hashes and lengths if that is really needed.

Related sigstore-rs issue https://github.com/sigstore/sigstore-rs/issues/369

jku avatar May 31 '24 15:05 jku

Do you know if https://github.com/theupdateframework/rust-tuf would be compatible or is maintained more actively?

haydentherapper avatar May 31 '24 16:05 haydentherapper

IIRC they don't have a CLI so testing would be a bit more work (this specific part of the spec seems to be supported but that doesn't mean much)

jku avatar May 31 '24 18:05 jku

  • I believe the upstream PR fixing the blocker has been merged in awslabs/tough: https://github.com/awslabs/tough/pull/778
  • awslabs/tough release, update in sigstore-rs and a sigstore-rs release would still be needed
  • we still don't have an automated test for sigstore-rs in root-signing (-staging) so it's not 100% confirmed that sigstore-rs is then compatible... but one would be welcome in https://github.com/sigstore/root-signing-staging/blob/main/.github/workflows/custom-test.yml

jku avatar Aug 13 '24 07:08 jku

the metadata in question is now published

jku avatar Sep 03 '24 16:09 jku

for the record awslabs/tough has released... but now there is a hairy dependency deadlock that still prevents sigstore-rs from using the new release.

jku avatar Sep 05 '24 13:09 jku

I believe this has been fixed with the latest sigstore-rs release

jku avatar Sep 20 '24 10:09 jku