Closed astoycos closed 6 months ago
After some digging it seems to be an error originating in https://github.dev/awslabs/tough possibly?
Yes, I patched that last week and is waiting for it to be reviewed: https://github.com/awslabs/tough/pull/755
Thanks @kommendorkapten Much appreciated
@kommendorkapten Out of curiosity... we're using the 0.8.0 tag which should have had all the dep version's fixed, how did this manage to break us?
@astoycos the Sigstore TUF root was updated yesterday, where the keytype
attribute changed to ecdsa
from ecdsa-sha2-nistp256
, and as awslabs/tough
does not yet support that key type, it could not verify the updated TUF root. I think that's the answer to your question?
And this will continue to fail until awslabs/tough
is updated, hope that my PR is accepted so this can be resolved for sigstore-rs.
That makes sense, thanks for explaining :)
This is now addressed with the 0.9.0 release, which is already available on crates.io :partying_face:
Description
This error randomly started popping up today in our CI and I was able to reproduce locally , I tried bumping our sigstore-rs dep up to main to see if that fixed the issue with no luck, a push in the right direction to fix this would be much appreciated and I'm happy to help out :)
It occurs when pre-fetching tuf data like so
OS INFO: Fedora 38
ERROR:
Version
using sigstore-rs:0.8.0 and sigstore-rs:main