Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conformance suite feature parity #354

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Conformance suite feature parity #354

wants to merge 3 commits into from

Conversation

tnytown
Copy link
Contributor

@tnytown tnytown commented Apr 24, 2024
edited

Requires #326.

  • Detached materials
  • 0.3 bundles
  • Staging instance
  • Custom trust root

Current failing tests:

FAILED test/test_bundle.py::test_verify_v_0_3 - test.client.ClientFail: 
FAILED test/test_bundle.py::test_verify_dsse_bundle_with_trust_root - test.client.ClientFail: 
FAILED test/test_bundle.py::test_verify_rejects_invalid_set - test.client.ClientUnexpectedSuccess: 
FAILED test/test_bundle.py::test_verify_rejects_bad_checkpoint - test.client.ClientUnexpectedSuccess: 
FAILED test/test_bundle.py::test_verify_rejects_checkpoint_with_no_matching_key - test.client.ClientUnexpectedSuccess: 
FAILED test/test_certificate_verify.py::test_verify_with_trust_root - test.client.ClientFail: 
FAILED test/test_signature_verify.py::test_verify_empty[SignatureCertificateMaterials] - test.client.ClientFail: 
FAILED test/test_signature_verify.py::test_verify_mismatch[SignatureCertificateMaterials] - test.client.ClientFail: 
FAILED test/test_signature_verify.py::test_verify_sigcrt - test.client.ClientFail: 
FAILED test/test_simple.py::test_simple[SignatureCertificateMaterials] - test.client.ClientFail:

tnytown and others added 3 commits April 22, 2024 22:26
@tnytown @tetsuo-cpp
sign: Signed Certificate Timestamp validation
a153e36 
Co-authored-by: Alex Cameron <alex.cameron@trailofbits.com>
Signed-off-by: Andrew Pan <andrew.pan@trailofbits.com>
@tnytown
Cargo.toml: remove patch version for bundle deps
e339b67 
Signed-off-by: Andrew Pan <andrew.pan@trailofbits.com>
@tnytown
conformance: staging, initial trustroot support
0989d63 
Signed-off-by: Andrew Pan <andrew.pan@trailofbits.com>
@tnytown
Copy link
Contributor Author

tnytown commented Apr 24, 2024
edited

Getting the following error on staging when tough tries to fetch a root (5.root.json):

Invalid key ID 5416a7a35ef827abc651e200ac11f3d23e9db74ef890b1fedb69fb2a152ebac5: calculated c3479007e861445ce5dc109d9661ed77b35bbc0e3f161852c46114266fc2daa4

@jku
Copy link
Member

jku commented Apr 26, 2024
edited

Getting the following error on staging when tough tries to fetch a root (5.root.json):

Invalid key ID 5416a7a35ef827abc651e200ac11f3d23e9db74ef890b1fedb69fb2a152ebac5: calculated c3479007e861445ce5dc109d9661ed77b35bbc0e3f161852c46114266fc2daa4

This is
theupdateframework/tuf-on-ci#292 and arguably theupdateframework/specification#305

Very annoying...

  • I think this is a bug in tuf-on-ci (and so in root-signing-staging metadata) and will try to not create keyids like this in tuf-on-ci in the future
  • It looks like out of current sigstore clients only sigstore-rs triggers this but I think I will try to fix this in root-signing-staging too -- this is not entirely trivial so won't happen immediately and the already existing root versions are unlikely to get reverted
  • if the tough devs agree with the spec issue above (like I think most client devs do), we could modify the client to accept the keyids currently used

@jku jku mentioned this pull request May 31, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tnytown @jku