-
Notifications
You must be signed in to change notification settings - Fork 275
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement verification by a threshold of keys #1306
Comments
When computing whether the threshold of signatures has been met, we need to be sure that only a single valid signature is counted for each keyid in the signatures list. This prevents a malicious key owner from signing metadata multiple times to meet the threshold. For more details see: GHSA-pwqf-9h7j-7mv8 and 83ac7be |
Indeed, I considered multiple keyids for the same key but decided not to mention it as the current specification requires keyids be the sha256 hash of the key's canonical form. I agree it would be worth trying to implement threshold computation in a forward-thinking way if it doesn't complicate things too much, that probably means ensuring that signatures are unique, keyids are unique, and that each keyid maps to a unique key? FYI I filed a PR against the spec to try and describe what's required of implementations here theupdateframework/specification#154 |
So the problem space is this:
Some options I see are (examples for a hypothetical client that wants to verify a timestamp file it has just downloaded):
(editing to add a fourth option)
This looks nice but does mean the function will have to check that self.signed is a Root or Targets... |
For options 2 and 3, delegated roles need to be aware of their parent (delegating role) to retrieve the correct keys/threshold which, except for the case when the parent is root, is not trivial because it is not stored in the metadata. |
It could be added to the metadata if we decide. I feel like the first option makes the most sense to me, but I am wondering how it will look like from an implementation perspective. |
I was referring to the specification, but yes, it can be extended in the implementation.
This needs to happen in all cases |
in the hypothetical examples I was thinking this code is in e.g. client Updater and it would handle the "delegation tree" and would know who can verify who (updated comment to explain that). |
What makes this annoying is that delegation data is just different enough in Targets and Root that sharing an implementation is a bit difficult. I've got a prototype of option 1 jku@3cf353b |
I guess this could actually be a Metadata function as well (and not a Root/Target function):
in this case there would be code in metadata that would do one thing if self.signed._type=='root' and and another if self.signed._type=='targets' ... A bit ugly but could work: develop...jku:verify_with_threshold |
(Apologies for the brevity of this drive-by comment) I think delegator verifies the delegated is the right approach (I do not like delegated verifies itself with info from delegator, options 2 & 3 in the original breakdown).
|
Note to self: Clarify the uniqueness of role names in delegations. The file format and spec does not enforce this (because roles in delegations is an ordered list), but I think there can only be one role with a specific role name in a delegations object: to verify the delegation with threshold of keys we need to lookup the keyids with the role name: if there were multiple roles with same name they could have different keyids... |
Description of issue or feature request:
A verification of signed metadata by a threshold of keys is needed both for client and repository.
Metadata
already has vanilla one-signature verify and could potentially be the right location for this implementation. See #1060 (comment) for thoughts about that distinction.The text was updated successfully, but these errors were encountered: