repo.RootKeys returns wrong metadata #379
Comments
|
cc @znewman01 and @haydentherapper who were involved in these changes. |
|
We appreciate you bearing with us as we tweak the API; I think it's rough in the short term, but in the long term will lead to a more-usable and secure-by-default implementation.
Yes.
That's a good idea.
I don't know if I see the issue here—those clients would be on an old version of go-tuf, which supports old-style initialization. Brand new clients will be on the new go-tuf version, but that's okay because we'll be shipping a new Are you worried about a client that has local TUF state and then updates? IIUC that should just work. |
|
Previously, clients could have been distributed with the root key metadata (not the full root.json) and could then bootstrap all trust from that. If those clients update to the new API and try using the old metadata, they will essentially have their updates bricked (because the new API cannot initialize/update with the old metadata and it would be impossible to push an update to use the locally stored full root.json). I tried to take this into account in https://github.com/fleetdm/fleet/pull/7666/files#diff-c92239951d5af44bbf2ae6686800530d93668c48d38718d3f5289f721b506344R109-R126 by always trying to use the full root.json first and only if that fails falling back to the bootstrap metadata. Does that seem like an appropriate approach to you? We will need to to some substantial testing to ensure that we aren't bricking updates for any of our clients. |
|
I think I see what you're saying.
Yes, that seems appropriate to me. There are four cases I can think of:
This seems okay to me in all cases.
Yes, that's important 😄 Let us know if we can help. We're happy to backport security fixes to the |
|
@zwass sorry for the late reply, but also, I can't say I understand all the details. Could you please explain a bit concretely why clients upgraded to the new library with the new API might fail? Is it because they are given the root keys/metadata by something else (e.g., a configuration service)? |
|
Ping, @zwass: anything we need to do on the go-tuf end here, or can I close out? |
|
Hey @zwass : is there anything we can do to help? We're a little confused how it's possible to update client without updating them to be able to ingest the whole repo root keys (or even extract the root keys from the root metadata if they're relying on the old API that takes the root keys) |
This was triggered by the security advisory [GHSA-3633-5h82-39pq](GHSA-3633-5h82-39pq). Fleet's use of go-tuf is not vulnerable to this issue due to not using key thresholds greater than 1. There were some API changes that necessitate changing the initialization code for the TUF client. See theupdateframework/go-tuf#379 for further discussion.
* Update go-tuf to v0.5.0 This was triggered by the security advisory [GHSA-3633-5h82-39pq](GHSA-3633-5h82-39pq). Fleet's use of go-tuf is not vulnerable to this issue due to not using key thresholds greater than 1. There were some API changes that necessitate changing the initialization code for the TUF client. See theupdateframework/go-tuf#379 for further discussion. * Add changes file * Update default root metadata * Add review changes to update-go-tuf branch * Update tests * Add more checks to roots output Co-authored-by: Zach Wasserman <[email protected]>
|
Closing for now; comment if there's anything to do here and we can reopen. |
|
Sorry folks. @lucasmrod pointed out to me that we do actually initialize the whole repository metadata before shipping packages, so the change was really just needed to use the different metadata at initialization. As long as the documentation and metadata returned by the commands are consistent I think we are good. |
Now that #354 is merged, the only way to initialize a client is using the full root metadata (please correct if I'm wrong here).
The repo.RootKeys implementation, which is documented to provide the metadata needed to initialize clients returns an array of public keys, which can no longer be used to initialize the client.
root.jsonto clients?repo.RootKeysbe updated to return the full root metadata? (found docs: update the CLI usage documentation #322 mentioning this)The text was updated successfully, but these errors were encountered: