Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Support external signatures (sigs made on system without TUF installed)
See original GitHub issuePlease fill in the fields below to submit an issue or feature request. The more information that is provided, the better.
Description of issue or feature request:
Feature request: please add support for tuf to be able to import signatures made on another air-gapped machine that doesn’t have tuf installed (ie: using gpg installed through apt)
tuf has a bootstrap security problem: it’s not possible to securely download and install tuf because not all of its dependencies are cryptographically signed. For this reason, it’s not safe to install tuf on the same machine where my private keys live, so I’d rather preform my signatures on a distinct machine, then copy them to my tuf machine.
Current behavior:
Currently, all metadata creation & signing takes place on a machine requiring tuf to be installed
Expected behavior:
Newly supported workflow:
- TUF produces metadata for new version
- User copies metdata off
TUFcomputer to an air-gapped machine (where the release private keys sit in cold storage) - User signs the metadata with their private key on the air-gapped machine
- User copies the signature from the air-gapped machine to the
TUFcomputer
Issue Analytics
- State:
- Created 3 years ago
- Reactions:3
- Comments:5 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
UPDATE 03/22
In python-tuf v1.0.0 signature generation/verification, and public key handling are quite nicely decoupled from general metadata generation and modification via the new Metadata API. Here’s what the intended workflow would look like now:
Metadata.to_bytes()with asigner=CanonicalJSONSerializer()argument to get the canonical byte representation of any metadata.Signatureobject and add it to theMetadata.signaturesdictionary. (I suggest to take a look atSslibSignerfor inspiration, which currently is the standard way of creating signature objects for TUF.)Also, signing is only part of the story. In order for the signatures to be useful, e.g. for a python-tuf powered client, the corresponding public key needs to be in a TUF metadata compatible format and the signature verification routine needs to be supported. We use
Key.from_securesystemslib_keyandKey.verify_signaturefor public keys and signatures created with our standard securesystemslib signer.For GPG we actually already have all of the tools we need for this
securesystemslib.gpg.functions.create_signature(content, keyid=None, homedir=None)calls thegpgcommand in a subprocess and parses the returned data to generate a TUF-like signature. We might as well parse the signature data from a file that we got from your air-gapped box without first calling gpg.Also, this section in the tutorial shows how to pass TUF metadatda to an external signing tool, and how to add an externally created signature back to TUF metadata.
The main problem why we can’t do this right away, is that TUF doesn’t support above gpg signatures yet, but that’s something we also want to change.