Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TUF specification has a new version - v1.0.31 #391

Closed
github-actions bot opened this issue Sep 21, 2022 · 2 comments · Fixed by #393
Closed

TUF specification has a new version - v1.0.31 #391

github-actions bot opened this issue Sep 21, 2022 · 2 comments · Fixed by #393
Assignees
@znewman01

Comments

@github-actions
Copy link

Hey, it seems there's a newer version of the TUF specification - v1.0.31

The version which theupdateframework/go-tuf states it supports is - v1.0.29

The following is a comparison of what changed between the two versions - Compare v1.0.29 to v1.0.31

Please review the newer version and address the changes.
znewman01 added a commit to znewman01/go-tuf that referenced this issue Sep 21, 2022
@znewman01
chore: update TUF spec version
a936573 
We fixed theupdateframework#321 but forgot to update this, so now the GH actions bot is
confused (theupdateframework#391).
@znewman01 znewman01 mentioned this issue Sep 21, 2022
Merged
znewman01 added a commit to znewman01/go-tuf that referenced this issue Sep 21, 2022
@znewman01
chore: update TUF spec version
41e0f5b 
We fixed theupdateframework#321 but forgot to update this, so now the GH actions bot is
confused (theupdateframework#391).

Signed-off-by: Zachary Newman <z@znewman.net>
trishankatdatadog pushed a commit to znewman01/go-tuf that referenced this issue Sep 21, 2022
@znewman01 @trishankatdatadog
chore: update TUF spec version
0d9ab2c 
We fixed theupdateframework#321 but forgot to update this, so now the GH actions bot is
confused (theupdateframework#391).

Signed-off-by: Zachary Newman <z@znewman.net>
znewman01 added a commit that referenced this issue Sep 21, 2022
@znewman01
chore: update TUF spec version (#392)
7f9beab 
We fixed #321 but forgot to update this, so now the GH actions bot is
confused (#391).

Signed-off-by: Zachary Newman <z@znewman.net>
@znewman01 znewman01 self-assigned this Sep 21, 2022
@znewman01
Copy link
Contributor

Only potentially relevant commit is this one: theupdateframework/specification@7b565c7

I'll give it a skim.

@znewman01
Copy link
Contributor

Okay, we're good based on this code:

go-tuf/client/client.go

Lines 293 to 299 in 7f9beab

// 5.3.5 Check for a rollback attack. Here, we check that nPlusOneRootMetadataSigned.version == nPlusOne.
if nPlusOneRootMetadataSigned.Version != nPlusOne {
return verify.ErrWrongVersion{
Given: nPlusOneRootMetadataSigned.Version,
Expected: nPlusOne,
}
}

It's covered in tests here:

go-tuf/client/client_test.go

Lines 444 to 448 in 7f9beab

// Fails updating root to 2.root.json when the value of the version field inside it is 1 (rollback attack prevention).
{"testdata/Published1Time_backwardRootVersion", verify.ErrWrongVersion(verify.ErrWrongVersion{Given: 1, Expected: 2}), map[string]int64{}},
// Fails updating root to 2.root.json when the value of the version field inside it is 3 (rollforward attack prevention).
{"testdata/Published3Times_keyrotated_forwardRootVersion", verify.ErrWrongVersion(verify.ErrWrongVersion{Given: 3, Expected: 2}), map[string]int64{}},
// Fails updating when there is no local trusted root.

We should add more-specific unit tests, but that's already tracked in #286

Will close by updating the listed specification version.

znewman01 added a commit to znewman01/go-tuf that referenced this issue Sep 21, 2022
@znewman01
chore: update TUF spec version to 1.0.31
e7325ff 
Fixes theupdateframework#391; see that issue for justification.

Signed-off-by: Zachary Newman <z@znewman.net>
@znewman01 znewman01 mentioned this issue Sep 21, 2022
Merged
trishankatdatadog pushed a commit to znewman01/go-tuf that referenced this issue Sep 21, 2022
@znewman01 @trishankatdatadog
chore: update TUF spec version to 1.0.31
f91d620 
Fixes theupdateframework#391; see that issue for justification.

Signed-off-by: Zachary Newman <z@znewman.net>
trishankatdatadog pushed a commit that referenced this issue Sep 21, 2022
@znewman01
chore: update TUF spec version to 1.0.31 (#393)
6ea14f5 
Fixes #391; see that issue for justification.

Signed-off-by: Zachary Newman <z@znewman.net>

Signed-off-by: Zachary Newman <z@znewman.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@znewman01 znewman01

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: update TUF spec version to 1.0.31 znewman01/go-tuf
1 participant
@znewman01