Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TUF: Target naming for usage #134

Closed
asraa opened this issue Sep 27, 2022 · 3 comments
Closed

TUF: Target naming for usage #134

asraa opened this issue Sep 27, 2022 · 3 comments
Labels
enhancement New feature or request

Comments

@asraa
Copy link

asraa commented Sep 27, 2022
edited
Loading

Description

In the next root-signing, we'll be migrating targets for fulcio under a fulcio subdirectory, and rekor under a rekor subdirectory (and keeping old targets for compatibility before we remove them).

This change was due to the fact that we had created delegations that were allowed to sign off on any path, but we actually only intend on certain delegations to add/update targets for a certain usage type (e.g. a delegation managing rekor rotations should only sign on the rekor/** space).

When we do this, fulcio targets will now be found on fulcio/* and rekor targets will be found on rekor/*. This may simplify some of the expressions for target matching SIGSTORE_FULCIO_CERT_TARGET_REGEX and SIGSTORE_REKOR_PUB_KEY_TARGET, since now their regex are simply fulcio/* or rekor/*. Old clients may continue to use this for a few months, given that we will continue supporting the top-level targets at their given paths, but we'd like clients to start moving towards retrieving fulcio certs by retrieving all targets under fulcio/*.

A few questions:

  1. Does this targets() func retrieve delegated targets? Or just top-level targets? One way to find out is if you find a revocation.list returned in the current root. That is a delegated target not listed in the top-level targets.
  2. When we totally remove the top-level original paths (rekor.pub and fulcio*.crt.pem) in favor of nesting them under subdirectories, will you need to continue to support old clients?
@asraa asraa added the enhancement New feature or request label Sep 27, 2022
@lukehinds
Copy link
Member

tagging @flavio who worked on the TUF patches.

This was referenced Sep 27, 2022
Merged
Closed
@flavio
Copy link
Member

flavio commented Dec 6, 2022

@asraa sorry for the late reply, this got buried into my notifications and then I forgot about it 🙏

Has this change took place? I've downloaded the TUF repository using tuftool (which is based on the same set of rust libraries we use to interact with TUF) and I didn't find any directory inside of it. I found exactly what is being described here under the targets section of the README.

To address your questions:

  1. Does this targets() func retrieve delegated targets? Or just top-level targets? One way to find out is if you find a revocation.list returned in the current root. That is a delegated target not listed in the top-level targets.

In theory it should handle also the delegated target, however I see only the contents of the README I linked above.

Reminder: I'm not a TUF expert, I might be missing something obvious

  1. When we totally remove the top-level original paths (rekor.pub and fulcio*.crt.pem) in favor of nesting them under subdirectories, will you need to continue to support old clients?

I think we won't need to do that.

@flavio
Copy link
Member

flavio commented Sep 17, 2024

Closing, as far as I can see the change of Sigstore's TUF repository layout never happened.

@flavio flavio closed this as completed Sep 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@flavio @asraa @lukehinds