Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Targets delegations are not updated when adding a new delegation key

See original GitHub issue

Description of issue:

When adding a new key to a delegated role e.g.:

repository.targets('unclaimed').add_verification_key(public_new_key)

the delegating role metadata (e.g. targets.json) is not updated with the new key.

Steps to reproduce:

Delegate to ‘unclaimed’ role

repository.targets.delegate('unclaimed', [public_unclaimed_key], ['*']) 
repository.mark_dirty(['unclaimed', 'targets', 'snapshot', 'timestamp'])
repository.writeall()

Delegated role’s internal metadata:

tuf.roledb.get_roleinfo('unclaimed')    
{'name': 'unclaimed',
 'keyids': ['9313d41de1204c061f09429197edbe12f71bd6dd354ebae6bd3bdbee4bffb1e1'],
 'signing_keyids': [],
 'threshold': 1,
 'version': 1,
 'expires': '2020-08-25T21:30:11Z',
 'signatures': [],
 'partial_loaded': False,
 'paths': {},
 'delegations': {'keys': {}, 'roles': []}}

targets.json:

"signed": {
  "_type": "targets",
  "delegations": {
   "keys": {
    "9313d41de1204c061f09429197edbe12f71bd6dd354ebae6bd3bdbee4bffb1e1": {
     "keyid_hash_algorithms": [
      "sha256",
      "sha512"
     ],
     "keytype": "ed25519",
     "keyval": {
      "public": "ede15f800ab11184080552a4edbfa61b0a0920243acebd536cca7d344331d21b"
     },
     "scheme": "ed25519"
    }
   },
   "roles": [
    {
     "keyids": [
      "9313d41de1204c061f09429197edbe12f71bd6dd354ebae6bd3bdbee4bffb1e1"
     ],
     "name": "unclaimed",
     "paths": [
      "*"
     ],
     "terminating": false,
     "threshold": 1
    }
   ]
  },
  "expires": "2020-08-25T21:27:11Z",
  "spec_version": "1.0.0",
  "targets": {},
  "version": 2
 }
}

Rotate the ‘unclaimed’ role key

repository.targets('unclaimed').remove_verification_key(public_unclaimed_key)
repository.targets('unclaimed').add_verification_key(public_new_key) 
repository.mark_dirty(['unclaimed', 'targets', 'snapshot', 'timestamp'])
repository.writeall()

Delegated role’s metadata is updated:

tuf.roledb.get_roleinfo('unclaimed')
{'name': 'unclaimed',
 'keyids': ['10bb2defd9e01b2bbed14f1eab48c92495136675f3af2fa6dfd277a63ca45f0e'],
 'signing_keyids': [],
 'threshold': 1,
 'version': 2,
 'expires': '2020-08-25T21:30:11Z',
 'signatures': [],
 'partial_loaded': False,
 'paths': {},
 'delegations': {'keys': {}, 'roles': []},
 'previous_keyids': []}

targets.json keeps the old key:

"signed": {
  "_type": "targets",
  "delegations": {
   "keys": {
    "9313d41de1204c061f09429197edbe12f71bd6dd354ebae6bd3bdbee4bffb1e1": {
     "keyid_hash_algorithms": [
      "sha256",
      "sha512"
     ],
     "keytype": "ed25519",
     "keyval": {
      "public": "ede15f800ab11184080552a4edbfa61b0a0920243acebd536cca7d344331d21b"
     },
     "scheme": "ed25519"
    }
   },
   "roles": [
    {
     "keyids": [
      "9313d41de1204c061f09429197edbe12f71bd6dd354ebae6bd3bdbee4bffb1e1"
     ],
     "name": "unclaimed",
     "paths": [
      "*"
     ],
     "terminating": false,
     "threshold": 1
    }
   ]
  },
  "expires": "2020-08-25T21:27:11Z",
  "spec_version": "1.0.0",
  "targets": {},
  "version": 3
 }

Current behavior: The delegating role metadata is not updated when a delegation key is updated

Expected behavior: The delegating role metadata is kept up to date with the latest delegation keys

Issue Analytics

State:
Created 3 years ago
Comments:8 (8 by maintainers)

Top GitHub Comments

1reaction

lukpuehcommented, Jun 2, 2020

Oh, didn’t see that you commented before me, @joshuagl. But it seems like we came to the same conclusion. 😃

1reaction

joshuaglcommented, Jun 2, 2020

Iterating roledb shouldn’t cause major performance regressions, it’s the many calls to deepcopy when modifying roledb that cause the performance hit (see #1005). Because the proposed change here is just reading from roledb, not updating it, seems like it should be OK.

#1005 includes a sample script for measuring the performance of delegate_hashed_bins(). Perhaps we could implement the proposed change in 1. and measure performance before merging?

Top Results From Across the Web

Delegations for content trust - Docker Documentation

A delegation will have a pair of private and public delegation keys. ... collaborator's key to the targets/releases delegation via docker trust signer...

Targets metadata expiring: no longer have original signing ...

We have tried to re-add the delegation, but we get an error message "fatal: could not find necessary signing keys, at least one...

Frequently Asked Questions - The Update Framework

Using delegations makes it so that users can perform actions for one another without needing to share keys in order to make this...

Delegations for content trust - Docker Documentation

Using this delegation allows you to collaborate with other publishers without sharing your repository key (a combination of your targets and snapshot keys...

Active Directory Delegation Guide 2022 | DNSStuff

Right-click on the object. Select “Delegate Control.” Click “Next.” Click the “Add” button and use the Object Picker to select the users or ......