-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Snapshotting doesn't verify the root.json manifest. #292
Comments
2 tasks
I would think it should verify this. I'm not sure how you can check that
the snapshot key is current / valid otherwise.
…On Wed, May 18, 2022 at 1:51 AM asraa ***@***.***> wrote:
Currently Snapshot will verify signatures on all snapshotted manifests,
but does not require verifying the root.json because root is no longer
included in the Snapshot. (see #203
<#203>)
Root.json was removed from snapshot.json here:
https://github.com/theupdateframework/taps/blob/master/tap5.md#security-analysis
Should repo managers verify that root.json is valid before snapshotting?
As a matter of robustness? Or should we handle this in our own client.
See sigstore/root-signing#238
<sigstore/root-signing#238>
—
Reply to this email directly, view it on GitHub
<#292>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGROD57CSAWOVYVEFHTSC3VKPMCRANCNFSM5WFXFPUQ>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Agreed that repository tooling should be verifying metadata as the tools proceeds through repository operations. |
Awesome, the PR opened should do so! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently
Snapshot
will verify signatures on all snapshotted manifests, but does not require verifying the root.json because root is no longer included in the Snapshot. (see #203)Root.json was removed from snapshot.json here: https://github.com/theupdateframework/taps/blob/master/tap5.md#security-analysis
Should repo managers verify that root.json is valid before snapshotting? As a matter of robustness? Or should we handle this in our own client.
It seems odd to use the DBs from root to verify sigs on snapshotted manifests if the root is not properly signed.
See sigstore/root-signing#238
The text was updated successfully, but these errors were encountered: