go-tuf: Initializing client regression between v0.5.2 and v0.6.0
I am unsure exactly what caused this (and the issue may be in sigstore, but that doesn’t seem to have changed), but calling this function:
Gives this error:
initializing tuf: unable to initialize client, local cache may be corrupt: tuf: error unmarshalling key: invalid PEM value:
Whereas reverting to v0.5.2 suceeds.
About this issue
- Original URL
- State: closed
- Created a year ago
- Reactions: 1
- Comments: 26 (23 by maintainers)
@asraa - Thanks! 💯 I’ll make sure to open a PR later and hopefully cut a patch release in a day or so so we fix this 👍
@asraa, thanks, that makes perfect sense. I’d rather avoid continuing to deal with hex-encoded ecdsa keys, so I’m good to bump root.json to version 5 or the latest. Though I think we should do (2) also unless we’re also entirely removing the deprecated ecdsa format.
We hadn’t updated to 0.6.0 yet cause I wasn’t sure where the KDF params change would break things.
https://github.com/sigstore/sigstore/pull/1312 will also fix this for Sigstore.
For
set_ecdsa, I think we need to store a mapping for bothdata.KeyTypeECDSA_SHA2_P256_OLD_FMTanddata.KeyTypeECDSA_SHA2_P256in case a client is verifying using both the old non-compliant format and a newly generated root.The first is correct!
The second does not need to be changed - this is the intended old ECDSA verifier (spec compliant). The deprecated package imported the old go-tuf not-spec-compliant ecdsa verifier.
Maybe we should add a Sigstore maintainer also to go-tuf to try to prevent this sort of issues going forward…
Cc @rdimitrov
@haydentherapper probably this needs to be bumped to a more recent version, and deps updated… https://github.com/sigstore/sigstore/blob/main/pkg/tuf/repository/root.json
Are you using an updated sigstore client (or cleared the local cache?) this is because before GA sigstore was using an invalid format root that wasn’t compatible with newer versions of go-tuf.