-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initializing client regression between v0.5.2 and v0.6.0 #527
Comments
Are you using an updated sigstore client (or cleared the local cache?) this is because before GA sigstore was using an invalid format root that wasn't compatible with newer versions of go-tuf. |
Great questions! I ran into this on GitHub actions where I assume there is no pre-existing cache, but that might be wrong.
I'm not entirely sure what this means. Do you have a link to more info? |
If you have a link to the GHA it'd be easier to debug. Here's some links about that issue, and I'm not totally sure unless I see if it's that from your GHA.. Original issue that sigstore was using PEM encoded public keys in the root: sigstore/root-signing#329 I swear there were posted issues of clients hitting this, but maybe it was only in Slack. |
@asraa I can see a similar issue in policy-controller https://github.com/sigstore/policy-controller/actions/runs/5677821039/job/15386817220?pr=903#step:5:81. |
Oh! Weird, if this is popping up recently in daily runs then I have no idea. @haydentherapper for any context if something has changed. |
@haydentherapper probably this needs to be bumped to a more recent version, and deps updated... |
Is sigstore/cosign#3128 related? |
We hadn't updated to 0.6.0 yet cause I wasn't sure where the KDF params change would break things. |
We have this failure here too - sigstore/sigstore#1286 |
Cc @rdimitrov |
Maybe we should add a Sigstore maintainer also to go-tuf to try to prevent this sort of issues going forward... |
Others have linked to more failures, but here's mine: Thanks for the links, I'll take a look. |
As far as I understand the changes to the encrypted package (KDF update/what we notify as a potential breaking change) are not what’s causing this since the sigstore use case of In any case the sigstore unit tests seem to reproduce this issue so I’d suggest someone to debug running them locally by gradually testing which change in go-tuf might have caused this from 0.5.2 to 0.6.0. PS. Unfortunately I’m in Denmark up until the end of next week so I cannot debug properly from my phone. PS2. A few helping notes for someone that is willing to give it a try - the following would help replace go-tuf with a local clone for testing in sigstore’s go.mod- |
I returned from PTO and debugged it with sigstore's unit tests today. It turns out that the issue is caused by fix: Update the ecdsa key type to the latest spec (1.0.32). Reverting the commit 2adcfe7 does fix the failed tests in https://github.com/sigstore/sigstore. I did not have more time, but I'll try to figure out the root cause next week. Feel free to chime in if you already have an idea. cc: @asraa @kommendorkapten @hectorj2f @haydentherapper @jonjohnsonjr |
If that's the case then I expect it's because we're parsing the old ecdsa key type like I mentioned above. I still think the fix is probably to update the sigstore/sigstore root metadata: https://github.com/sigstore/sigstore/blob/main/pkg/tuf/repository/root.json I think the reason that commit shows up is now is because the key
So this fix is (1) to update the root metadata so we no longer are parsing the deprecated ecdsa format or (2) update the line above so that the deprecated ecdsa format is actually added to the store with the correct key value. |
@asraa, thanks, that makes perfect sense. I'd rather avoid continuing to deal with hex-encoded ecdsa keys, so I'm good to bump root.json to version 5 or the latest. Though I think we should do (2) also unless we're also entirely removing the deprecated ecdsa format. |
Isn't it better if we load the correct verifier here with Line 23 in 4e4f7f3
|
The deprecated package is separate and needs explicit inclusion (which it is in the sigstore ecosystem) - I think it would be also good if someone corrected the key here:
|
I'll recap everything that needs to be changed. If we agree that's all, I'll open a fix so we can cut a patch release and resolve this quickly 👍
|
The first is correct! The second does not need to be changed - this is the intended old ECDSA verifier (spec compliant). The deprecated package imported the old go-tuf not-spec-compliant ecdsa verifier. |
@asraa - Thanks! 💯 I'll make sure to open a PR later and hopefully cut a patch release in a day or so so we fix this 👍 |
sigstore/sigstore#1312 will also fix this for Sigstore. For |
We currently don't generate a root with I would also suggest migrating to the new key type for the next root signing. |
That makes sense. I was thinking about cases where we must always support the outdated format and the new format, like in rekor (unless we bump the TUF type version). |
Yeah, i'm not totally sure it's possible, since it's meant to be a compile time setting :/ But you could internally access the verifiers, I guess. |
The fix is now part of v0.6.1 (just released) 🎉 Thank you all for your help! 💯 |
I am unsure exactly what caused this (and the issue may be in sigstore, but that doesn't seem to have changed), but calling this function:
https://github.com/sigstore/sigstore/blob/8fac32e450fa2fb263313255dc779799095f0ce5/pkg/tuf/client.go#L335-L349
Gives this error:
Whereas reverting to v0.5.2 suceeds.
The text was updated successfully, but these errors were encountered: