Closed carolynvs closed 3 years ago
Interesting! Let's discuss at the CNAB Security meeting this week please...
I've added it to Wednesday's agenda.
FYI, the expiration error is now fixed by #91.
Happy to chat about this at the next meeting, but as long as all CNAB tooling has the same serialization rules, it should not affect how we sign and verify bundles, although keep in mind this is a breaking change, i.e. the same bundle could get a different content digest and invalidate the signature.
@trishankatdatadog @radu-matei I've rebased to pick up the fix from main and made the linter happy.
Per CNAB Spec cnabio/cnab-spec#414, we want to support numbers in our canonical json representation.
The library we are currently using, github.com/docker/go/json, does not support this. So I am migrating us to the library mentioned in the spec as being compliant. This is the same library used by cnab-go in https://github.com/cnabio/cnab-go/pull/247.
I was not able to completely remove the import of the old library because TUF uses its RawMessage struct, which is a very simple wrapper around a byte array.
If we are interested we can try to get TUF to use an interface instead of a hard-coded struct type so that we can drop the dependency on the other canonical json library.