Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conformance suite feature parity #354

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

tnytown
Copy link
Contributor

@tnytown tnytown commented Apr 24, 2024

Requires #326.

  • Detached materials
  • 0.3 bundles
  • Staging instance
  • Custom trust root

Current failing tests:

FAILED test/test_bundle.py::test_verify_v_0_3 - test.client.ClientFail: 
FAILED test/test_bundle.py::test_verify_dsse_bundle_with_trust_root - test.client.ClientFail: 
FAILED test/test_bundle.py::test_verify_rejects_invalid_set - test.client.ClientUnexpectedSuccess: 
FAILED test/test_bundle.py::test_verify_rejects_bad_checkpoint - test.client.ClientUnexpectedSuccess: 
FAILED test/test_bundle.py::test_verify_rejects_checkpoint_with_no_matching_key - test.client.ClientUnexpectedSuccess: 
FAILED test/test_certificate_verify.py::test_verify_with_trust_root - test.client.ClientFail: 
FAILED test/test_signature_verify.py::test_verify_empty[SignatureCertificateMaterials] - test.client.ClientFail: 
FAILED test/test_signature_verify.py::test_verify_mismatch[SignatureCertificateMaterials] - test.client.ClientFail: 
FAILED test/test_signature_verify.py::test_verify_sigcrt - test.client.ClientFail: 
FAILED test/test_simple.py::test_simple[SignatureCertificateMaterials] - test.client.ClientFail: 

tnytown and others added 3 commits April 22, 2024 22:26
Co-authored-by: Alex Cameron <alex.cameron@trailofbits.com>
Signed-off-by: Andrew Pan <andrew.pan@trailofbits.com>
Signed-off-by: Andrew Pan <andrew.pan@trailofbits.com>
Signed-off-by: Andrew Pan <andrew.pan@trailofbits.com>
@tnytown
Copy link
Contributor Author

tnytown commented Apr 24, 2024

Getting the following error on staging when tough tries to fetch a root (5.root.json):

Invalid key ID 5416a7a35ef827abc651e200ac11f3d23e9db74ef890b1fedb69fb2a152ebac5: calculated c3479007e861445ce5dc109d9661ed77b35bbc0e3f161852c46114266fc2daa4

@jku
Copy link
Member

jku commented Apr 26, 2024

Getting the following error on staging when tough tries to fetch a root (5.root.json):

Invalid key ID 5416a7a35ef827abc651e200ac11f3d23e9db74ef890b1fedb69fb2a152ebac5: calculated c3479007e861445ce5dc109d9661ed77b35bbc0e3f161852c46114266fc2daa4

This is
theupdateframework/tuf-on-ci#292 and arguably theupdateframework/specification#305

Very annoying...

  • I think this is a bug in tuf-on-ci (and so in root-signing-staging metadata) and will try to not create keyids like this in tuf-on-ci in the future
  • It looks like out of current sigstore clients only sigstore-rs triggers this but I think I will try to fix this in root-signing-staging too -- this is not entirely trivial so won't happen immediately and the already existing root versions are unlikely to get reverted
  • if the tough devs agree with the spec issue above (like I think most client devs do), we could modify the client to accept the keyids currently used

Signed-off-by: Andrew Pan <andrew.pan@trailofbits.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants