specification icon indicating copy to clipboard operation
specification copied to clipboard

Published 20 hours ago verified publisher icon theupdateframework

FileMeta verification guidance with client store representations

Open asraa opened this issue 1 year ago • 2 comments

https://github.com/sigstore/root-signing/pull/376#discussion_r971886294 @kommendorkapten brought up this issue during a change where we used to serve canonicalized repository metadata, and just now switched to normal encoding/json. This technically changes the bytes that are used to calculate the FileMeta checksum and lengths, for example, used in the timestamp.json file for pinning the snapshot.

If clients write metadata to their trusted store in canonicalized form, or in some other representation other than the bytes that were directly received from the repository, then the checksums of their stored metadata no longer match the ones in the trusted FileMeta.

This is particularly important if we have a shared cache that multiple TUF client implementations share: if one writes as canonicalized bytes, and the other in the direct bytes received, then one client will fail depending on the way that the repository wrote the FileMeta.

Should clients ALWAYS write metadata to their trusted store in the exact form that was received from the remote? Should FileMeta ALWAYS be generated from the canonicalized bytes that were signed?

asraa avatar Sep 15 '22 15:09 asraa

Should clients ALWAYS write metadata to their trusted store in the exact form that was received from the remote? Should FileMeta ALWAYS be generated from the canonicalized bytes that were signed?

Seems like a reasonable (albeit slightly expensive) workaround for now. Does anyone else have better ideas?

trishankatdatadog avatar Sep 22 '22 04:09 trishankatdatadog

Should clients ALWAYS write metadata to their trusted store in the exact form that was received from the remote? Should FileMeta ALWAYS be generated from the canonicalized bytes that were signed?

It's either one or the other, right? If the repo creates FileMeta from the exact metadata bytes it serves, and the client uses exactly those bytes to compute the hash, then no canonicalization is needed. I think this is how the spec pictures it.

Using a canonical form of the full(!) metadata (not only the signed bytes like) would be an alternative, if above is not possible.

Another alternative would be to generate FileMeta without hashes as described in Mercury.

lukpueh avatar Oct 03 '22 09:10 lukpueh