Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add more text describing threshold computation #154

Merged

Conversation

joshuagl
Copy link
Member

Add some additional text to each "Check for an arbitrary software attack" section describing threshold computation, in an attempt to help TUF implementers avoid falling into the trap of a naive implementation of threshold counting resulting in incorrect, security affecting, behaviour.

Further enhance this guidance by recommending, in "File formats", that the signatures list only contain one signature per keyid.

This kind of detail will be easier to add in a much clearer way once we rewrite the workflow to call out to subsections (#121), however I wanted to add this information as soon as possible because we continue to see implementers falling into the same trap:

mnm678
mnm678 previously approved these changes Apr 16, 2021
Copy link
Collaborator

@mnm678 mnm678 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for the clarification, hopefully this will help prevent future threshold mistakes.

This is related to another approach to this problem in #155, though the approach there would require a breaking change.

@joshuagl joshuagl force-pushed the joshuagl/calculate-threshold branch from c6a3f8c to a98c6a5 Compare May 28, 2021 14:34
@joshuagl
Copy link
Member Author

Rebased on the latest master with a new version and date added. Please take a look @trishankatdatadog @mnm678

mnm678
mnm678 previously approved these changes May 29, 2021
tuf-spec.md Outdated Show resolved Hide resolved
tuf-spec.md Show resolved Hide resolved
tuf-spec.md Outdated Show resolved Hide resolved
@joshuagl
Copy link
Member Author

Almost two years later !? 🙊 I've managed to add some more text in an attempt to address @trishankatdatadog's concerns. I rebased on the latest changes and updated version and date.

With the current version and date in the commit this PR SHOULD follow #272

@joshuagl joshuagl force-pushed the joshuagl/calculate-threshold branch from 215d10b to f1b6165 Compare June 2, 2023 11:14
joshuagl and others added 4 commits August 17, 2023 12:12
Several implementations have made similar errors -- counting multiple
signatures by the same keyid -- when implementing signature threshold
computation, for example the reference implementation:
GHSA-pwqf-9h7j-7mv8
theupdateframework/python-tuf@83ac7be

Add some extra description to the detailed client workflow to further
explain that a threshold of signatures should only count one signature
per key.

Signed-off-by: Joshua Lock <[email protected]>
In an attempt to help implementers protect against incorrect threshold
computation, update "File formats" to suggest that the signatures list
contain only a single signature per keyid at metadata creation time.

Suggested-by: Jussi Kukkonen <[email protected]>
Signed-off-by: Joshua Lock <[email protected]>
Be more explicit that each KEYID can only count one signature towards the
threshold.

Signed-off-by: Joshua Lock <[email protected]>
Signed-off-by: Joshua Lock <[email protected]>
@joshuagl joshuagl force-pushed the joshuagl/calculate-threshold branch from f1b6165 to ec2e1ac Compare August 17, 2023 11:12
@joshuagl
Copy link
Member Author

I'd love to get this PR off my backlog, any chance of some reviews @trishankatdatadog, @mnm678 and @lukpueh ?

Copy link
Member

@lukpueh lukpueh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@mnm678 mnm678 merged commit c51875f into theupdateframework:master Aug 17, 2023
@joshuagl joshuagl deleted the joshuagl/calculate-threshold branch August 18, 2023 06:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants