Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

root-signing metadata is incompatible with current sigstore-rs #1251

Closed
jku opened this issue May 31, 2024 · 6 comments
Closed

root-signing metadata is incompatible with current sigstore-rs #1251

jku opened this issue May 31, 2024 · 6 comments
Labels
enhancement New feature or request

Comments

@jku
Copy link
Member

jku commented May 31, 2024

This is something that came up during staging testing: sigstore-rs is not compatible with root-signing-staging, and will not be compatible with root-signing if we proceed with #929 without changes.

  • Current root-signing metadata contains metadata hashes and lengths, but tuf-on-ci produces metadata that does not contain them
  • both variants are spec compliant
  • awslabs/tough used by sigstore-rs does not currently support the tuf-on-ci produced metadata
  • sigstore-rs is experimental and does not have releases so was not included in the root-signing staging test matrix so the issue was not noticed earlier
  • there is a related compatibility problem with keyids: this is not an issue in root-signing and will be fixed in root-signing-staging

I'm filing this so we can decide whether this is a blocker for #929 or not. I would suggest it's not a blocker:

  • the tuf-on-ci metadata is compliant wrt hashes and lengths
  • adding support for this in the client (awslabs/tough) should not be a major issue

That said, tuf-on-ci could start embedding hashes and lengths if that is really needed.

Related sigstore-rs issue sigstore/sigstore-rs#369
@jku jku added the enhancement New feature or request label May 31, 2024
@haydentherapper
Copy link
Contributor

Do you know if https://github.com/theupdateframework/rust-tuf would be compatible or is maintained more actively?

@jku
Copy link
Member Author

jku commented May 31, 2024

IIRC they don't have a CLI so testing would be a bit more work (this specific part of the spec seems to be supported but that doesn't mean much)

@jku jku mentioned this issue Aug 12, 2024
Closed
17 tasks
@jku
Copy link
Member Author

jku commented Aug 13, 2024
edited
Loading

@jku jku mentioned this issue Sep 3, 2024
Merged
@jku jku changed the title future root-signing metadata may not be compatible with current sigstore-rs root-signing metadata is compatible with current sigstore-rs Sep 3, 2024
@jku
Copy link
Member Author

jku commented Sep 3, 2024

the metadata in question is now published

@jku jku changed the title root-signing metadata is compatible with current sigstore-rs root-signing metadata is incompatible with current sigstore-rs Sep 3, 2024
@jku
Copy link
Member Author

jku commented Sep 5, 2024

for the record awslabs/tough has released... but now there is a hairy dependency deadlock that still prevents sigstore-rs from using the new release.

@jku jku mentioned this issue Sep 7, 2024
Closed
@jku
Copy link
Member Author

jku commented Sep 20, 2024

I believe this has been fixed with the latest sigstore-rs release

@jku jku closed this as completed Sep 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jku @haydentherapper