Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement notary witness #867

Closed
endophage opened this issue Jul 21, 2016 · 2 comments
Closed

Implement notary witness #867

endophage opened this issue Jul 21, 2016 · 2 comments
Assignees
Milestone

Comments

@endophage
Copy link
Contributor

It's currently possible to update a delegation role such that the existing targets/a_role.json file becomes invalid. This happens by removing the key(s) that have signed the currently available file from the role information contained in the parent file. Once in this situation the role cannot be republished because no client will successfully be able to pull that role.

Implement notary witness such that among other things, it can take a role that has been invalidated and resign it. Following is proposed syntax and scenarios:

Usage:
    notary witness [ GUN ] < Target Name > ... [flags]

Flags:
    --role               Specifically add the targets to this role. If no targets are specified, simply resign the role if currently valid but short of signatures vs threshold; if invalid, bump version and expiry, then sign.
    -i, --interactive    Perform an interactive witness. If witnessing with targets this will ask the user to confirm each role they will be witnessing the target into. If perform without targets, it will ask the user to confirm the existing targets in the role they are signing.

cc @ecordell @NathanMcCauley @riyazdf @cyli

@endophage endophage added this to the Notary 0.4 milestone Jul 21, 2016
@endophage endophage self-assigned this Jul 21, 2016
@cyli
Copy link
Contributor

cyli commented Jul 21, 2016

It seems like adding targets and witnessing (that is, signing a piece of metadata to make it valid) should be separate affairs, since signing can also be used to reach the threshold of signatures.

Witnessing seems to me like saying "I've looked at this piece metadata, and I approve". Modifying it afterward doesn't seem to fit the witness use case.

But someone can pull down a repo that does not include the invalid target file, because it doesn't have enough signatures, witness it to make it valid and hence then download the target file, and then add/remove targets at will from it and publish the full set of changes up. (the order of operations is tricky here, since we may have to download the file to be witnessed separately from the repo downloading, and then once we sign it, attempt to load it into the repo).

@riyazdf
Copy link
Contributor

riyazdf commented Aug 3, 2016

closed by #875

@riyazdf riyazdf closed this as completed Aug 3, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants