sigstore-rs icon indicating copy to clipboard operation
sigstore-rs copied to clipboard
verified publisher icon sigstore

compatibility issue with root-signing TUF metadata

Open jku opened this issue 1 year ago • 4 comments

@tnytown found some compatibility issues with root-signing-staging during https://github.com/sigstore/sigstore-rs/pull/354:

  1. keyids were accidentally non-compliant: this concerns root-signing-staging only and will be fixed there, hopefully next week (sigstore-rs needs to initialize with the fixed root.json at that point, sorry about that)
  2. it turns out that awslabs/tough does not support METAFILEs without hashes and length in TUF metadata: they are optional in the specification. Current root-signing-staging metadata does not include these optional items but because awslabs/tough requires them sigstore-rs will not work with root-signing-staging even after the previous issue is fixed

This issue is about the second item above: . Some more context:

  • I maintain tuf-on-ci, the tool that is used to produce the root-signing-staging repository
  • The plan is to start maintaining the production root-signing repo with the same tool: this means sigstore-rs will have the same issue with production infra soon
  • I was not planning on including hashes and length in the metadata in the future but I am willing to discuss...
  • I imagine adding support for optional hashes and length into awslabs/tough client is not an unreasonable amount of work

jku avatar May 31 '24 15:05 jku

@flavio any ideas on what path we should take going forward? This change is imminent and will break sigstore-rs' TUF code.

tnytown avatar Jun 17 '24 19:06 tnytown

I made an attempt at switching to rust-tuf and encountered a different issue: https://github.com/theupdateframework/rust-tuf/issues/408

Trail of Bits is out of time on sigstore-rs, so I won't be taking this on in the short term.

tnytown avatar Jun 24 '24 19:06 tnytown

Sorry, I was swamped during the last weeks. I'm going to look into that.

flavio avatar Jun 28 '24 15:06 flavio

@jku I've run into the keyid issue you reported. Please ping me once the staging repo is fixed :pray:

Thanks again for this heads up!

flavio avatar Jun 28 '24 16:06 flavio

This wasn't updated since June so it's clearly time:

  • the keyid issue was fixed in root-signing-staging in july
  • there is still an upcoming compatibility issue with root-signing
    • https://github.com/sigstore/root-signing/issues/1320 will be the signing event that introduces the incompatible change in root-signing, plan is to try that next week
    • Fix has been merged in awslabs/tough but they have not released since then

jku avatar Aug 20 '24 15:08 jku

We can close it, sigstore-rs 0.10.0 has all the fixes we need :partying_face:

flavio avatar Sep 17 '24 10:09 flavio