feat: parameterize deprecated key formats in init and add testing (part 3/4) #376
Conversation
Signed-off-by: Asra Ali <asraa@google.com> lint Signed-off-by: Asra Ali <asraa@google.com>
asraa
force-pushed
the
part-3-init-param
branch
from
f57718c
to
94777ab
Compare
asraa
requested review from
haydentherapper,
dlorenc,
joshuagl and
kommendorkapten
asraa
changed the title
|
A review would be great! Would love to wrap this up with part 4 so I can send out keyholder instructions! |
| @@ -321,7 +324,8 @@ func ClearEmptySignatures(store tuf.LocalStore, role string) error { | |||
| } | |||
|
|
|||
| func jsonMarshal(v interface{}) ([]byte, error) { | |||
| b, err := cjson.Marshal(v) | |||
| // We don't need to canonically encode the payload in the store. | |||
| b, err := json.Marshal(v) | |||
There was a problem hiding this comment.
When changing from cjson to encoding/json for Marshalling, there is no risk that the checksum/signature for the metadata file will differ from what's written in the snapshot file? Or is this only verified prior to writing to the metadata cache, my memory is failing me here :)
There was a problem hiding this comment.
Good question!
On get: we verify the checksum/length based on the retrieved metadata from the store. (no canonicalization)
On write: we write the snapshot file metadata (checksum/length) based on the retrieved metadata from the store (no canonicalization)
Admittedly, I feel like this is generally a little fragile. It requires that the implementations for GetMeta on the repo and client's store implementation and the repository writers SetMeta implementation return equivalent bytes.
It only works out this way because they both do not canonicalize. So snapshot checksums and client's verification of the checksum will still be correct, since they checksum exactly what we write to the store.
Does that make sense? I guess the tldr is no: snapshot checksums are generated based on what we write to the store, regardless of canonicalization or not.
There was a problem hiding this comment.
Does that make sense? I guess the tldr is no: snapshot checksums are generated based on what we write to the store, regardless of canonicalization or not.
I think it does! But, this feels like it may break for sigstore tuf client v2, where multiple languages can share cache, as JSON serialization may differ? Although out of scope for this PR, we should keep track of that, right?
There was a problem hiding this comment.
But, this feels like it may break for sigstore tuf client v2, where multiple languages can share cache, as JSON serialization may differ?
I think things will work by accident, as long as clients SetMeta with just the raw bytes, and don't store in a different representation.
we should keep track of that, right?
I think so. We should be able to catch issues with this with the presubmits, but I would like to ask on theupdateframework/specification for x-lang guidance here. Creating an issue
| @@ -41,6 +40,7 @@ var DefaultThreshold = 3 | |||
| var ConsistentSnapshot = true | |||
|
|
|||
| // Use deprecated hex-encoded ECDSA keys. | |||
| // TODO(asraa): Flip this to false or v5 when migration code complete. | |||
There was a problem hiding this comment.
| // TODO(asraa): Flip this to false or v5 when migration code complete. | |
| // TODO(asraa): Flip this to false for v5 when migration code complete. |
?
| func InitCmd(ctx context.Context, directory, previous string, | ||
| threshold int, targetsConfig map[string]json.RawMessage, | ||
| snapshotRef string, timestampRef string, | ||
| deprecatdKeyFormat bool) error { |
There was a problem hiding this comment.
| deprecatdKeyFormat bool) error { | |
| deprecatedKeyFormat bool) error { |
| @@ -150,7 +153,7 @@ func InitCmd(ctx context.Context, directory, previous string, threshold int, tar | |||
| if err != nil { | |||
| return err | |||
| } | |||
| keys, err := getKeysFromDir(directory + "/keys") | |||
| keys, err := getKeysFromDir(directory+"/keys", deprecatdKeyFormat) | |||
There was a problem hiding this comment.
| keys, err := getKeysFromDir(directory+"/keys", deprecatdKeyFormat) | |
| keys, err := getKeysFromDir(directory+"/keys", deprecatedKeyFormat) |
| @@ -191,7 +194,7 @@ func InitCmd(ctx context.Context, directory, previous string, threshold int, tar | |||
|
|
|||
| // Add keys used for snapshot and timestamp roles. | |||
| for role, keyRef := range map[string]string{"snapshot": snapshotRef, "timestamp": timestampRef} { | |||
| signerKey, err := pkeys.GetSigningKey(ctx, keyRef, DeprecatedEcdsaFormat) | |||
| signerKey, err := pkeys.GetSigningKey(ctx, keyRef, deprecatdKeyFormat) | |||
There was a problem hiding this comment.
| signerKey, err := pkeys.GetSigningKey(ctx, keyRef, deprecatdKeyFormat) | |
| signerKey, err := pkeys.GetSigningKey(ctx, keyRef, deprecatedKeyFormat) |
| @@ -321,7 +324,8 @@ func ClearEmptySignatures(store tuf.LocalStore, role string) error { | |||
| } | |||
|
|
|||
| func jsonMarshal(v interface{}) ([]byte, error) { | |||
| b, err := cjson.Marshal(v) | |||
| // We don't need to canonically encode the payload in the store. | |||
There was a problem hiding this comment.
This is a great catch. We should store the raw data that we retrieve from the repository, not the canonicalised form.
| @@ -334,7 +338,7 @@ func jsonMarshal(v interface{}) ([]byte, error) { | |||
| return out.Bytes(), nil | |||
| } | |||
|
|
|||
| func getKeysFromDir(dir string) ([]*data.PublicKey, error) { | |||
| func getKeysFromDir(dir string, deprecatdKeyFormat bool) ([]*data.PublicKey, error) { | |||
There was a problem hiding this comment.
| func getKeysFromDir(dir string, deprecatdKeyFormat bool) ([]*data.PublicKey, error) { | |
| func getKeysFromDir(dir string, deprecatedKeyFormat bool) ([]*data.PublicKey, error) { |
| @@ -346,7 +350,7 @@ func getKeysFromDir(dir string) ([]*data.PublicKey, error) { | |||
| if err != nil { | |||
| return nil, err | |||
| } | |||
| tufKey, err := pkeys.ToTufKey(*key, DeprecatedEcdsaFormat) | |||
| tufKey, err := pkeys.ToTufKey(*key, deprecatdKeyFormat) | |||
There was a problem hiding this comment.
| tufKey, err := pkeys.ToTufKey(*key, deprecatdKeyFormat) | |
| tufKey, err := pkeys.ToTufKey(*key, deprecatedKeyFormat) |
|
Oh, this merged before I finished my review 🤦 |
Signed-off-by: Joshua Lock <jlock@vmware.com>
Signed-off-by: Asra Ali asraa@google.com
PART 3 OF #329 (comment)
I know this makes a lot of changes in the summary, but they are all fairly minor.
Summary
InitCmdto use deprecated key formats when adding HSM/online keysInitCmdthat adds pre-entries forallRootKeys(old + new) totargetsrole instead ofroot. E2E testing verifies this.KeyAndAttestationsonly requires the ecdsa public key, format agnostic.SignCmdbut no signature was added to the metadata, useful for catching if we sign with PEM and do not expect PEM keys.verifyCLI command and uses it in e2e testing.We still have a TODO to make the
SignCmdCLI command allow multiple key IDs for the same sig. Awaiting part 4.Added TODO for also unit testing the pre-entries logic. It is fragile and worth testing.
Release Note
Documentation