Non-determinism in JSON export

Could TUF canonicalize even the JSON data that isn’t directly signed?

Note that python-TUF currently does not canonicalize any JSON metadata (not even the payload aka. “signed” part) on the wire, although there is a proposal to change this at least for the “signed” part to not require any JSON parsing of untrusted metadata see (https://github.com/secure-systems-lab/signing-spec/pull/2).

Canonicalization of the entire metadata is not required by the spec, because file hashes of targets.json, $delegated-targets.json (in snapshot.json) and snapshot.json (in timestamp.json) are generated and then re-generated for client verification over the same file blob (without need for JSON parsing/canonicalization).

Regardless, @erickt has made a similar request in https://github.com/theupdateframework/tuf/issues/1154 (in a similar context, i.e. interoperability testing).

I’m fine with implementing his suggestion.

State as I understand it:

• We try to be deterministic in Metadata API: e.g. JSON dictionary content is sorted on output
• We do not canonicalize the output JSON (signed content is canonicalized but that is not used as the output format)

I’m closing this as it is about the legacy code which we no longer maintain: if you see a similar issue using Metadata API, please open a new issue