search

sigstore / sigstore-rs

An experimental Rust crate for sigstore
https://sigstore.github.io/sigstore-rs/sigstore/
Apache License 2.0
163 stars 51 forks source link

compatibility issue with root-signing TUF metadata #369

Closed jku closed 1 week ago

jku commented 4 months ago

@tnytown found some compatibility issues with root-signing-staging during https://github.com/sigstore/sigstore-rs/pull/354:

  1. keyids were accidentally non-compliant: this concerns root-signing-staging only and will be fixed there, hopefully next week (sigstore-rs needs to initialize with the fixed root.json at that point, sorry about that)
  2. it turns out that awslabs/tough does not support METAFILEs without hashes and length in TUF metadata: they are optional in the specification. Current root-signing-staging metadata does not include these optional items but because awslabs/tough requires them sigstore-rs will not work with root-signing-staging even after the previous issue is fixed

This issue is about the second item above: . Some more context:

tnytown commented 3 months ago

@flavio any ideas on what path we should take going forward? This change is imminent and will break sigstore-rs' TUF code.

tnytown commented 3 months ago

I made an attempt at switching to rust-tuf and encountered a different issue: https://github.com/theupdateframework/rust-tuf/issues/408

Trail of Bits is out of time on sigstore-rs, so I won't be taking this on in the short term.

flavio commented 3 months ago

Sorry, I was swamped during the last weeks. I'm going to look into that.

flavio commented 3 months ago

@jku I've run into the keyid issue you reported. Please ping me once the staging repo is fixed :pray:

Thanks again for this heads up!

jku commented 1 month ago

This wasn't updated since June so it's clearly time:

flavio commented 1 week ago

We can close it, sigstore-rs 0.10.0 has all the fixes we need :partying_face: