Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clients disagree on what to do with keyids without matching key #144

Open
jku opened this issue Aug 14, 2024 · 0 comments
Open

Clients disagree on what to do with keyids without matching key #144

jku opened this issue Aug 14, 2024 · 0 comments
Labels
specification

Comments

@jku
Copy link
Member

jku commented Aug 14, 2024
edited
Loading

If a role in a repository contains a keyid that does not have a matching key in the same metadata, our embedded clients currently disagree what to do:

  • go-tuf refresh fails with:

    Error: failed to refresh trusted metadata: value error: key with ID 41898f69a6e541a5696793230a1036c76acd0b83e48405821a5c0e061b263c28 not found in snapshot keyids

  • python-tuf succeeds (I believe because this keyid is not used in signatures so not needed for threshold verification, the relevant key is never looked up).

Both decisions seem reasonable but it would be better if there was consensus. this is from #86.
This was referenced Aug 14, 2024
Closed
Closed
@jku jku changed the title Add test for keyids without matching key Clients disagree on what to do with keyids without matching key Aug 16, 2024
@jku jku mentioned this issue Aug 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
specification
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jku