sigstore-rs icon indicating copy to clipboard operation
sigstore-rs copied to clipboard

Published 20 hours ago verified publisher icon sigstore

TUF: Target naming for usage

Open asraa opened this issue 3 years ago • 2 comments

Description

In the next root-signing, we'll be migrating targets for fulcio under a fulcio subdirectory, and rekor under a rekor subdirectory (and keeping old targets for compatibility before we remove them).

This change was due to the fact that we had created delegations that were allowed to sign off on any path, but we actually only intend on certain delegations to add/update targets for a certain usage type (e.g. a delegation managing rekor rotations should only sign on the rekor/** space).

When we do this, fulcio targets will now be found on fulcio/* and rekor targets will be found on rekor/*. This may simplify some of the expressions for target matching SIGSTORE_FULCIO_CERT_TARGET_REGEX and SIGSTORE_REKOR_PUB_KEY_TARGET, since now their regex are simply fulcio/* or rekor/*. Old clients may continue to use this for a few months, given that we will continue supporting the top-level targets at their given paths, but we'd like clients to start moving towards retrieving fulcio certs by retrieving all targets under fulcio/*.

A few questions:

  1. Does this targets() func retrieve delegated targets? Or just top-level targets? One way to find out is if you find a revocation.list returned in the current root. That is a delegated target not listed in the top-level targets.
  2. When we totally remove the top-level original paths (rekor.pub and fulcio*.crt.pem) in favor of nesting them under subdirectories, will you need to continue to support old clients?

asraa avatar Sep 27 '22 13:09 asraa

tagging @flavio who worked on the TUF patches.

lukehinds avatar Sep 27 '22 13:09 lukehinds

@asraa sorry for the late reply, this got buried into my notifications and then I forgot about it :pray:

Has this change took place? I've downloaded the TUF repository using tuftool (which is based on the same set of rust libraries we use to interact with TUF) and I didn't find any directory inside of it. I found exactly what is being described here under the targets section of the README.

To address your questions:

  1. Does this targets() func retrieve delegated targets? Or just top-level targets? One way to find out is if you find a revocation.list returned in the current root. That is a delegated target not listed in the top-level targets.

In theory it should handle also the delegated target, however I see only the contents of the README I linked above.

Reminder: I'm not a TUF expert, I might be missing something obvious

  1. When we totally remove the top-level original paths (rekor.pub and fulcio*.crt.pem) in favor of nesting them under subdirectories, will you need to continue to support old clients?

I think we won't need to do that.

flavio avatar Dec 06 '22 09:12 flavio