Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go-tuf requires snapshot.json length/hashes to be set in timestamp meta #229

Closed
znewman01 opened this issue Mar 2, 2022 · 2 comments
Closed

go-tuf requires snapshot.json length/hashes to be set in timestamp meta #229

znewman01 opened this issue Mar 2, 2022 · 2 comments
Assignees
@joshuagl

Comments

@znewman01
Copy link
Contributor

In #228, I discovered that python-tuf can generate metadata that fails update in go-tuf. In particular, timestamp.json is:

{
 "signatures": [
  {
   "keyid": "941da208a0a7547b698585b6c6f04b72280644f0cddfe27a3acfd2ca683cc7a4",
   "sig": "810f1b6cba5dd8a3fea906ed5956c4f984de6e1979a11abaa8de7d2c539e105abcce7e51589219da8a97a4c6138360c7921d65b1ac8d46f75b0d287bab064f06"
  }
 ],
 "signed": {
  "_type": "timestamp",
  "expires": "2030-01-01T00:00:00Z",
  "meta": {
   "snapshot.json": {
    "version": 1
   }
  },
  "spec_version": "1.0.19",
  "version": 1
 }
}

Calling client.Update() gives:

python_interop_test.go:67:
    c.Assert(err, IsNil)
... value client.ErrDownloadFailed = client.ErrDownloadFailed{File:"snapshot.json", Err:util.ErrWrongLength{Expected:0, Actual:432}} ("tuf: failed to download snapshot.json: wrong length, expected 0 got 432")

(The snapshot meta does allow missing length/hashes.)

These fields are listed as OPTIONAL for snapshot metadata, and the spec for timestamp metadata reads:

METAFILES is the same as described for the snapshot.json file. In the case of the timestamp.json file, this MUST only include a description of the snapshot.json file.
@znewman01 znewman01 mentioned this issue Mar 2, 2022
Merged
@trishankatdatadog
Copy link
Member

Yes, I'm afraid there's been an update to the spec since the relevant go-tuf code was written 😕 Thanks for the report!

@jku jku mentioned this issue Mar 15, 2022
Closed
@joshuagl
Copy link
Member

This behaviour was changed in ed6788e. TimestampFileMetaEqual() now only checks the length and hashes when they are not nil.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joshuagl joshuagl

Labels
None yet
Projects
No open projects
[go-tuf] Project planning - v0.6.0 (Target: 2022-11-30)
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@znewman01 @joshuagl @trishankatdatadog