The Online Key is used for signing the Targets, Snapshop, Timestamp, and the Target Delegated Roles (succinct roles bins-<id>.json)
The bug occurs when the Online Key is updated, generating an inconsistency while the TUF client tries to download a Target File (artifact).
After an investigation, the root cause of the bug is that we bump the high-level Target roles but don't update the keys, in this case, the Online Key in the Target Metadata (targets.signed.delegations.keys and targets.signed.delegations.succinct_roles.keyids).
The below test shows the failure and the inconsistency.
I modified our Functional Tests for Metadata Update to rotate the online key.
INFO tests.functional.metadata.test_update:test_update.py:22 Adding artifacts
INFO tests.functional.metadata.test_update:test_update.py:45 Added task_id: d213ca176460459aa0a2c58f32858d1e
INFO tests.functional.metadata.test_update:test_update.py:22 Adding artifacts
INFO tests.functional.metadata.test_update:test_update.py:45 Added task_id: 4c974c106e054d758bae664749b6923b
INFO tests.functional.metadata.test_update:test_update.py:22 Adding artifacts
INFO tests.functional.metadata.test_update:test_update.py:45 Added task_id: f2050b62642d4be8aeb75b755ae83405
INFO tests.functional.metadata.test_update:test_update.py:22 Adding artifacts
INFO tests.functional.metadata.test_update:test_update.py:45 Added task_id: d3a171d70e7f4d53a1155ab3afc9a902
INFO tests.functional.metadata.test_update:test_update.py:90 [METADATA UPDATE] Submiting Root Metadata Update
INFO tests.functional.metadata.test_update:test_update.py:116 [METADATA UPDATE] Metadata Updated by 32ceccb5382e4010a96dda9abad4b383
INFO tests.functional.metadata.test_update:test_update.py:22 Adding artifacts
INFO tests.functional.metadata.test_update:test_update.py:45 Added task_id: 7330cc86307c4f64a87ee7b643363185
INFO tests.functional.metadata.test_update:test_update.py:146 [METADATA UPDATE] {"data":{"task_id":"32ceccb5382e4010a96dda9abad4b383","state":"SUCCESS","result":{"message":"Metadata Update Processed","status":true,"task":"metadata_update","last_update":"2024-04-17T12:05:33.071964Z","details":{"role":"root"}}},"message":"Task state."}
INFO tests.functional.metadata.test_update:test_update.py:153 [METADATA UPDATE] Update Metadata to 2.root.json finished
INFO tests.functional.metadata.test_update:test_update.py:22 Adding artifacts
INFO tests.functional.metadata.test_update:test_update.py:45 Added task_id: 467cd789f552414ca21734de9702dd99
INFO tests.functional.metadata.test_update:test_update.py:22 Adding artifacts
INFO tests.functional.metadata.test_update:test_update.py:45 Added task_id: ac1a7ee237844acfbe861975fae02e9e
INFO tests.functional.metadata.test_update:test_update.py:22 Adding artifacts
INFO tests.functional.metadata.test_update:test_update.py:45 Added task_id: bb7aff18b7a14d6a9243664bd3b5e39e
INFO tests.functional.metadata.test_update:test_update.py:22 Adding artifacts
INFO tests.functional.metadata.test_update:test_update.py:45 Added task_id: 68a28dcbd4e94dc184d3e3d4440348d8
INFO tests.functional.metadata.test_update:test_update.py:175 [METADATA UPDATE] Metadata Update available (2.root.json)
INFO tests.functional.metadata.test_update:test_update.py:49 Stop adding artifacts. Total requests: 9
INFO tests.functional.metadata.test_update:test_update.py:188 Task 1/9 finshed!
INFO tests.functional.metadata.test_update:test_update.py:188 Task 2/9 finshed!
INFO tests.functional.metadata.test_update:test_update.py:188 Task 3/9 finshed!
INFO tests.functional.metadata.test_update:test_update.py:188 Task 4/9 finshed!
INFO tests.functional.metadata.test_update:test_update.py:188 Task 5/9 finshed!
INFO tests.functional.metadata.test_update:test_update.py:188 Task 6/9 finshed!
INFO tests.functional.metadata.test_update:test_update.py:188 Task 7/9 finshed!
INFO tests.functional.metadata.test_update:test_update.py:188 Task 8/9 finshed!
INFO tests.functional.metadata.test_update:test_update.py:188 Task 9/9 finshed!
INFO tests.functional.metadata.test_update:test_update.py:195 Verifying test/condescending_golick-0.tar.gz
============================================================================= warnings summary ==============================================================================
tests/functional/metadata/test_update.py::test_updating_root_metadata_full_signed
tests/functional/metadata/test_update.py::test_updating_root_metadata_full_signed
tests/functional/metadata/test_update.py::test_updating_root_metadata_full_signed
/usr/local/lib/python3.10/site-packages/pytest_bdd/compat.py:46: PytestDeprecationWarning: A private pytest class or function was used.
fd = FixtureDef(
tests/functional/metadata/test_update.py::test_updating_root_metadata_full_signed
tests/functional/metadata/test_update.py::test_updating_root_metadata_full_signed
tests/functional/metadata/test_update.py::test_updating_root_metadata_full_signed
/usr/local/lib/python3.10/site-packages/pytest_html/basereport.py:356: DeprecationWarning: The 'py' module is deprecated and support will be removed in a future release.
warnings.warn(
-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
---------------------------------------------------- generated json file: /rstuf-runner/rstuf-umbrella/test-report.json -----------------------------------------------------
============================================================================= slowest durations =============================================================================
16.34s call tests/functional/metadata/test_update.py::test_updating_root_metadata_full_signed
------------------------------------------------ Generated html report: file:///rstuf-runner/rstuf-umbrella/test-report.html ------------------------------------------------
========================================================================== short test summary info ==========================================================================
FAILED tests/functional/metadata/test_update.py::test_updating_root_metadata_full_signed - tuf.api.exceptions.UnsignedMetadataError: bins-1 was signed by 0/1 keys
====================================================================== 1 failed, 6 warnings in 16.42s =======================================================================
Below, I added a simple fix that shows the consistency.
What happened?
The Online Key is used for signing the Targets, Snapshop, Timestamp, and the Target Delegated Roles (succinct roles
bins-<id>.json
)The bug occurs when the Online Key is updated, generating an inconsistency while the TUF client tries to download a Target File (artifact).
After an investigation, the root cause of the bug is that we bump the high-level Target roles but don't update the keys, in this case, the Online Key in the Target Metadata (
targets.signed.delegations.keys
andtargets.signed.delegations.succinct_roles.keyids
).The below test shows the failure and the inconsistency. I modified our Functional Tests for Metadata Update to rotate the online key.
Below, I added a simple fix that shows the consistency.
Credit for the bug: @matglas
Note: Another bug was identified during the investigation.
https://github.com/repository-service-tuf/repository-service-tuf-worker/blob/70f548f951850f84a4e0677ad87483494533b65f/repository_service_tuf_worker/repository.py#L1304-L1311
What steps did you take?
rstuf admin ceremony
rstuf admin metadata update
What behavior did you expect?
Update the Online Key without breaking the TUF Metadata consistency for the TUF clients.
Include a Functional Test to avoid regression
Relevant log output
No response
Code of Conduct