search

theupdateframework / go-tuf

Go implementation of The Update Framework (TUF)
https://theupdateframework.com
Apache License 2.0
634 stars 108 forks source link

Failing to rotate timestamp keys: tuf: failed to decode timestamp.json: tuf: valid signatures did not meet threshold #613

Closed wmnnd closed 9 months ago

wmnnd commented 9 months ago

Hey there,

I’m using go-tuf v0.7.0 in a project and have been trying to rotate the timestamp by adding a second key. I’ve done this using the CLI which generated an updated root.json which I have committed to the repository.

The new root.json (which now lives at root.json and 1.root.json in the repo) looks just like the old one except that it now specifies two keyids instead of one. However, when I create a timestamp (tuf timestamp) with the new key, fetching updates in my Go application fails with the error tuf: failed to decode timestamp.json: tuf: valid signatures did not meet threshold.

From the specs and the docs I would have expected client.Update() to also update the root.json data. But it seems like it doesn’t do that and instead uses only the data provided in client.Init which is shipped with the application.

If I update the rootJSON given to client.Init with the content of the new root.json , fetching the repository data works without issues.

Is this a bug or could I have missed something else?

I also get the same error with tuf-client: ERROR: tuf: failed to decode timestamp.json: tuf: valid signatures did not meet threshold - and that too is fixed by initializing it with the updated root.json.

P.S.: Calling client.UpdateRoots() returns nil.

rdimitrov commented 9 months ago

Hey, @wmnnd 👋 Thanks for reaching out.

@mnm678 - Can you help on this one? I haven't used the legacy cli recently and I don't recall the behaviour on client.Init() so I might be talking rubbish here 😃

I'd say if I add another timestamp key this should result in a new root.json version along with everything else that this affects, i.e. new timestamp.json too and so on. Then on the client side you shouldn't update anything - if the repository bump was done correctly, I'd expect that the client should be able to update itself properly by using the initial root.json file.

In @wmnnd's case if I understand correctly the new root.json is not versioned with the next version and instead stays with 1.root.json or no? Also the expiration part and the signature should probably be updated too, not just the timestamp keys part.

mnm678 commented 9 months ago

Did you run commit after running the add_key. Commit will bump the version of root, etc so that the changes will be discoverable by the client.

rdimitrov commented 9 months ago

I'll close this issue as it's not really an issue and more of a question of how to use the legacy library.

@wmnnd - let us know if this helped you and if not, please feel free to reopen or ask in Slack 👍

In any case thank you reaching out 💯