repository: bump revocation version after length addition

[asraa]

Signed-off-by: Asra Ali asraa@google.com

#410 (comment)

Before the new root signing event, we should close out this erroneous lack of version update in the revocation delegation.

The delegation had updated payload for compatibility with rust here: #327

and should have increased in version.

To produce this change, I had to run

$ export GITHUB_USER=asraa
$ export LOCAL=1
$ ./scripts/step-0.sh
$ ./tuf sign -repository $REPO -roles revocation -key ${REVOCATION_KEY} -add-deprecated=true -bump-version=true
Signing metadata for revocation.json... 
$ ./tuf snapshot -repository /home/asraa/git/root-signing/repository
$ ./tuf sign -repository /home/asraa/git/root-signing/repository -roles snapshot -key gcpkms://projects/project-rekor/locations/global/keyRings/sigstore-root/cryptoKeys/snapshot -add-deprecated=true
Signing metadata for snapshot.json... 
$ ./tuf timestamp -repository "$REPO"
$ ./tuf sign -repository "$REPO" -roles timestamp -key "${TIMESTAMP_KEY}" -add-deprecated=true
Signing metadata for timestamp.json... 
$ ./tuf publish -repository $REPO
Metadata successfully validated!

[asraa]

Client verified up to the new snapshot/timestamp version here:

VERIFYING TUF CLIENT UPDATE

Client successfully initialized, updating and downloading targets...
Client updated to...
	root.json version 4, expires 2023/01/12
	timestamp.json version 50, expires 2022/10/17
	snapshot.json version 50, expires 2022/10/24
	targets.json version 4, expires 2023/01/12

[asraa]

cosign initialize works fine:

$ ./cosign initialize --mirror http://localhost:8001
Root status: 
 {
	"local": "/home/asraa/.sigstore/root",
	"remote": "http://localhost:8001",
	"metadata": {
		"root.json": {
			"version": 4,
			"len": 5287,
			"expiration": "12 Jan 23 18:22 UTC",
			"error": ""
		},
		"snapshot.json": {
			"version": 50,
			"len": 1975,
			"expiration": "24 Oct 22 16:40 UTC",
			"error": ""
		},
		"targets.json": {
			"version": 4,
			"len": 5984,
			"expiration": "12 Jan 23 18:22 UTC",
			"error": ""
		},
		"timestamp.json": {
			"version": 50,
			"len": 719,
			"expiration": "17 Oct 22 16:40 UTC",
			"error": ""
		}
	},
	"targets": [
		"fulcio_intermediate_v1.crt.pem",
		"fulcio_v1.crt.pem",
		"rekor.0.pub",
		"rekor.pub",
		"artifact.pub",
		"ctfe.pub",
		"fulcio.crt.pem"
	]
}

tuf-tool:

$  tuftool download out             --root ../root-signing/repository/repository/2.root.json             -t http://localhost:8001/targets             -m http://localhost:8001
Downloading targets to "out"
	-> rekor.0.pub
	-> ctfe.pub
	-> fulcio.crt.pem
	-> artifact.pub
	-> fulcio_v1.crt.pem
	-> rekor.pub
	-> fulcio_intermediate_v1.crt.pem

[haydentherapper]

What's the difference between these payloads?

[asraa]

What's the difference between these payloads?

It's a version bump:

diff --git a/repository/repository/revocation.json b/repository/repository/revocation.json
index d6e7cb9..e553028 100644
--- a/repository/repository/revocation.json
+++ b/repository/repository/revocation.json
@@ -1,29 +1,29 @@
 {
-       "signatures": [
-               {
-                       "keyid": "9e7d813e8e16062e60a4540346aa8e7c7782afb7098af0b944ea80a4033a176f",
-                       "sig": "304502205aebc2daae399b1a6941ccb62a710fc0d95564eead3a433c2e5cae11c3699abf022100b3080a43a6334a714ab29641d1796ba95c7c219ea2bf7210a608aa7ea45bbf98"
-               }
-       ],
        "signed": {
                "_type": "targets",
-               "expires": "2023-01-18T17:33:23Z",
                "spec_version": "1.0",
+               "version": 2,
+               "expires": "2023-01-18T17:33:23Z",
                "targets": {
                        "revocation.list": {
+                               "length": 0,
+                               "hashes": {
+                                       "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+                                       "sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e"
+                               },
                                "custom": {
                                        "sigstore": {
                                                "status": "Unknown",
                                                "usage": "Unknown"
                                        }
-                               },
-                               "hashes": {
-                                       "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
-                                       "sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e"
-                               },
-                               "length": 0
+                               }
                        }
-               },
-               "version": 1
-       }
+               }
+       },
+       "signatures": [
+               {
+                       "keyid": "9e7d813e8e16062e60a4540346aa8e7c7782afb7098af0b944ea80a4033a176f",
+                       "sig": "3045022100e934bb8dc2b3c9089f5e8f4ec0038b856be09f5871cf54133285f09946ce9e840220282dc45c462a9ac60314fa2776247f84b4616823f6c01910be4307df694a1f42"
+               }
+       ]
 }

[haydentherapper]

LGTM, just wondering why this is needed? Is anything else changing?

[asraa]

LGTM, just wondering why this is needed? Is anything else changing?

Per the PR description: in #327, I had changed the payload of the file because go-tuf omitted length field when 0, and that was against specification and broke sigstore-rs. I fixed go-tuf, and updated the payload in the PR, but did not increase the version. So this PR essentially just sets the record straight that we should have been at revocation version 2

No other changes needed, in fact this delegation will all go away after the signing. But it is important because if we ever add this delegation back it must be added at version 3: not version 2.