Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support "ecdsa" keytype as well as the old "ecdsa-sha2-nistp256" #754

Closed
jku opened this issue Mar 13, 2024 · 5 comments
Closed

support "ecdsa" keytype as well as the old "ecdsa-sha2-nistp256" #754

jku opened this issue Mar 13, 2024 · 5 comments

Comments

@jku
Copy link

jku commented Mar 13, 2024
edited

The TUF spec has last year fixed the inconsistency in keytypes so "ecdsa" is now the suggested keytype name (instead of "ecdsa-sha2-nistp256"):
https://theupdateframework.github.io/specification/latest/#keytype

For clients it's fine (and the suggested approach) to support both names.

Based on my (limited) understanding of serde this might be an easy fix:

/// An EcdsaKey
#[serde(rename = "ecdsa-sha2-nistp256")]
Ecdsa {

becomes something like

/// An EcdsaKey
#[serde(alias = "ecdsa-sha2-nistp256")]
Ecdsa {

?
@jku
Copy link
Author

jku commented Mar 13, 2024
edited

This came up since sigstore root-signing is trying to use "ecdsa" as a keytype: sigstore/root-signing#1164. The actual error from tuftool is:
Failed to load repository: Failed to parse root metadata: Invalid SubjectPublicKeyInfo document at line 18 column 4
https://github.com/sigstore/root-signing/actions/runs/8262338514/job/22601461047

So it is still possible that the issue is something not related to the ecdsa change itself but that seemed like the most obvious culprit (as no public key content has actually changed).

Also apologies for how the whole ecdsa keytype evolution has happened: I realize this is not the first or second time things have had to change in tough around this. We (TUF community as whole) could really improve the communication on these issues...

cc @kommendorkapten

@jku jku mentioned this issue Mar 13, 2024
Closed
@kommendorkapten kommendorkapten mentioned this issue Mar 13, 2024
Merged
@trishankatdatadog trishankatdatadog mentioned this issue Mar 15, 2024
Open
@webern webern mentioned this issue Mar 22, 2024
Closed
@kommendorkapten
Copy link
Contributor

👋
Will there also be a new release of tuftool with this update? We are using tuftool in Sigstore's TUF repo to verify client compatibility.

@jmt-lab
Copy link
Contributor

jmt-lab commented Mar 28, 2024

👋 Will there also be a new release of tuftool with this update? We are using tuftool in Sigstore's TUF repo to verify client compatibility.

Hi there, we haven't planned a new release of tuftool due to there only being changes in tough itself and we did a minor release. If you use cargo install to install tuftool or run a cargo update it should bring in the new version of tough. If it does not or you see any weirdness do please reach out and let us know.

@kommendorkapten
Copy link
Contributor

@jmt-lab Perfect, thanks. Verified this too and it works, which can be seen in this PR: sigstore/root-signing#1190

@jku
Copy link
Author

jku commented Apr 26, 2024

Seems to be fixed, thanks a lot.

@jku jku closed this as completed Apr 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jku @kommendorkapten @jmt-lab