search

theupdateframework / go-tuf

Go implementation of The Update Framework (TUF)
https://theupdateframework.com
Apache License 2.0
625 stars 105 forks source link

Manual Verification of TUF metadata files for e.g targets.json #567

Closed codequester closed 8 months ago

codequester commented 10 months ago

I am trying to create a local sigstore stack and followed the instruction in the article (https://blog.sigstore.dev/sigstore-bring-your-own-stuf-with-tuf-40febfd2badd/) and while doing so I wanted to calrify the following 2 things.

  1. Will there be any tlog entries made to the local transparency logs (rekor) to audit and monitor the signing of various role metada (for e.g target.json etc) by the role specific keys?

  2. In the targets.json and the root.json below, we can see that the targets were signed by the key with a) key id - 1c2f6fcbea657294badc41ce77a492f7adb4f6186b75f5a6453adcd05a3fa162 and b) key val for this in the root.json is - "public": "95c39cb7e7ae8af4a60d5e64ed73527169d15cdba9f2973abc048fbfe5c1577a" given the c) signature - b6cd8298ca0b33c87e8a36062f3665d4cf0831e3f413902a9d041273cd207e09af48586933fa48ce39f0b9978da53e2a6eedca8c93c4677ef98fd3c5d61a430a in 'targets.json', how can i verify the metadata for e.g. the targets.json using the key val (b) of the signing key(a) and the the signature (c)? using openssl command?

targets.json

{
 "signed": {
  "_type": "targets",
  "spec_version": "1.0",
  "version": 1,
  "expires": "2024-05-10T18:02:44Z",
  "targets": {
   "ctfe.pub": {
    "length": 178,
    "hashes": {
     "sha512": "039bf5d59cb4de0aea5e5e29a02e609e4b695ea50c40f63a1c8244abab8cb76793f9b3158c1e897138ee9b6e7e4099c688d7f1bfdbbf465dc7ea3c88509315e0"
    },
    "custom": {
     "sigstore": {
      "usage": "CTFE",
      "status": "Active",
      "uri": ""
     }
    }
   },
   "fulcio-cert": {
    "length": 790,
    "hashes": {
     "sha512": "0ae32003aa7e31c37049a2298974eb161d322a94f2804fe4f9d022ee4bbbf21577ecedb958e3efdd10b60fea470ee20446d277a662c541411cabf1e3d81a54b0"
    },
    "custom": {
     "sigstore": {
      "usage": "Fulcio",
      "status": "Active",
      "uri": ""
     }
    }
   },
   "rekor-pubkey": {
    "length": 178,
    "hashes": {
     "sha512": "f9eff1be1ca22cd73cc6c3ed526a3eed4e85091c867e1ab994d7c148862f44c6508dde5fcd3a131f288cd6294b9d17548c5c9592322c05135b875e14840272db"
    },
    "custom": {
     "sigstore": {
      "usage": "Rekor",
      "status": "Active",
      "uri": ""
     }
    }
   }
  }
 },
 "signatures": [
  {
   "keyid": "1c2f6fcbea657294badc41ce77a492f7adb4f6186b75f5a6453adcd05a3fa162",
   "sig": "b6cd8298ca0b33c87e8a36062f3665d4cf0831e3f413902a9d041273cd207e09af48586933fa48ce39f0b9978da53e2a6eedca8c93c4677ef98fd3c5d61a430a"
  }
 ]
}

root.json

{
 "signed": {
  "_type": "root",
  "spec_version": "1.0",
  "version": 1,
  "expires": "2024-05-10T18:02:44Z",
  "keys": {
   "1c2f6fcbea657294badc41ce77a492f7adb4f6186b75f5a6453adcd05a3fa162": {
    "keytype": "ed25519",
    "scheme": "ed25519",
    "keyid_hash_algorithms": [
     "sha256",
     "sha512"
    ],
    "keyval": {
     "public": "95c39cb7e7ae8af4a60d5e64ed73527169d15cdba9f2973abc048fbfe5c1577a"
    }
   },
   "7cbdd5e9c11ba11c9fd6f345857e8362654259469e6d43eb48cb9fa5a90aaab0": {
    "keytype": "ed25519",
    "scheme": "ed25519",
    "keyid_hash_algorithms": [
     "sha256",
     "sha512"
    ],
    "keyval": {
     "public": "5aafd0191905a6977417f19012f47fd3aa61ced6e246d03729ded54775d7f577"
    }
   },
   "7d31aba71c7e94aadea38b7f9533026f418df1440dea0b1dd96f21c525ffbf5d": {
    "keytype": "ed25519",
    "scheme": "ed25519",
    "keyid_hash_algorithms": [
     "sha256",
     "sha512"
    ],
    "keyval": {
     "public": "893498040d310a2271a439fc6943be8c43d7b6a95df7861edb3d41e5b2359f67"
    }
   },
   "d0e49c7672cc01cfe554e3e83759ff0ee4494c38268f4baec5e2d7b82809fd05": {
    "keytype": "ed25519",
    "scheme": "ed25519",
    "keyid_hash_algorithms": [
     "sha256",
     "sha512"
    ],
    "keyval": {
     "public": "24b55b793238d62540b221352e416a3b6f0c893a1df28df516565a2f103884d2"
    }
   }
  },
  "roles": {
   "root": {
    "keyids": [
     "7d31aba71c7e94aadea38b7f9533026f418df1440dea0b1dd96f21c525ffbf5d"
    ],
    "threshold": 1
   },
   "snapshot": {
    "keyids": [
     "7cbdd5e9c11ba11c9fd6f345857e8362654259469e6d43eb48cb9fa5a90aaab0"
    ],
    "threshold": 1
   },
   "targets": {
    "keyids": [
     "1c2f6fcbea657294badc41ce77a492f7adb4f6186b75f5a6453adcd05a3fa162"
    ],
    "threshold": 1
   },
   "timestamp": {
    "keyids": [
     "d0e49c7672cc01cfe554e3e83759ff0ee4494c38268f4baec5e2d7b82809fd05"
    ],
    "threshold": 1
   }
  },
  "consistent_snapshot": false
 },
 "signatures": [
  {
   "keyid": "7d31aba71c7e94aadea38b7f9533026f418df1440dea0b1dd96f21c525ffbf5d",
   "sig": "7b3bf33cd837c8ca14edb43a352e0e699b01102747842d79de9ab0e0a92992596330ec3fc1edf937b48eec0b7a488af7dcb499251acfda7d6ea50294debbd60f"
  }
 ]
}
rdimitrov commented 8 months ago

Closing since the code base changed and this is no longer relevant.

Thanks for raising this 👍