Must signed.version be incremented every time a role is re-signed? #2020
Comments
dennisvang
changed the title
|
Good point, stuff like this would make the docs much better. I believe any change to published signed metadata should lead to version bump: otherwise clients can't know when they need to download new metadata (in the case that they already have the previous version downloaded). The only modification to metadata that doesn't need this that I could imagine is adding signatures... but even that seems safe only before the metadata is made public to clients (otherwise some clients could have fewer signatures and then signing keys might get changed and who knows how that would end). |
|
Good question! The spec has recently been updated to be a bit more specific about how the client should deal with new metadata that has the same version as the trusted one (see theupdateframework/specification#209).
Parts of this are still being discussed in theupdateframework/specification#114 |
@jku Yes, that certainly makes sense. Thanks for clarifying! :-) |
In the case of targets and snapshot metadata it also makes sense to bump if only the signatures are changed, because their file hashes could be listed in other metadata (snapshot can list targets metadata file hashes, and timestamp can list snapshot metadata file hashes). |
@lukpueh Thanks for pointing that out. So, would it be correct to say that the safest rule-of-thumb is to always bump the version whenever someone signs a role? |
... and publishes it for someone to consume. I would say. |
where the consumer would be either a tuf client or another key-owner? (sorry for going on about this) |
|
Ha, excellent follow-up question. I was only thinking of a client. For threshold signing we actually must not bump the version on each signature. Otherwise we'd sign different content each time and would never reach the desired threshold. |
Still trying to figure this out... Suppose timestamp lists the hash for the snapshot file, and only the signatures for snapshot are changed (for some reason). This means the snapshot "signed" portion does not change, but the snapshot file hash does change. Thus, the "signed" portion for timestamp changes. Then wouldn't it make sense to bump the |
|
Do you release the file when you don't have a threshold of signatures? I
mean, is it considered valid when it isn't fully signed? I would think it
should not be and should not be released / trusted by clients.
…On Wed, Jun 8, 2022 at 11:22 PM Lukas Pühringer ***@***.***> wrote:
Ha, excellent follow-up question. I was only thinking of a client.
For threshold signing we actually must not bump the version on each
signature. Otherwise we'd sign different content each time and would never
reach the desired threshold.
—
Reply to this email directly, view it on GitHub
<#2020 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGROD5IVCLF4SB6K3KDC2TVOC3EPANCNFSM5YGP6DJA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Changing the signature of |
@MVrachev Doesn't the client handle this automatically, because the root role is updated at the beginning of the client workflow? As I understand it (perhaps wrongly...), the spec suggests that the Side note: Not sure if it matters for the current discussion, but I'm not considering consistent snapshots in this example, so the snapshot metadata file doesn't have a version in the filename. |
|
If we consider the metadata object (basically the content of a metadata file): It is clear that the But, the other way round, shouldn't the In other words, being a naive user, I would expect that an isolated change in the For example, an isolated change in the Please correct me if I'm wrong here. :-) |
|
Your mental model seems right to me, maybe it works better with what we suggested above if we shift the causality a bit... So I wouldn't say that a change in the independent |
This is a likely but not the only reason for a change in signatures.
In case of a timestamp or snapshot key rotation in root metadata, we delete the trusted versions of those metadata files to allow recovery from a potential ffw attack. So in that case the version bump isn't actually required. :) |
|
@lukpueh Yes, thanks, I think that makes sense. I'm still looking for a clear guideline. Something like the following, perhaps? The |
|
Maybe we can phrase it with regards to the user? The "signed" version for a metadata object must be incremented if, any client downloader should consider it as new trusted metadata. |
That sounds better, and looking at this from the client workflow perspective does provide a better understanding of how the "version" is actually used. Although I do think this is a bit less explicit. From the repository perspective, I was thinking along these lines (see if-condition): ...
# load metadata from file
snapshot = Metadata.from_file(snapshot_path)
original_snapshot_signed = copy.deepcopy(snapshot.signed)
# make some changes to the signed metadata (or maybe not, if we're only threshold signing)
...
# bump version if necessary (see tuf.api.metadata.Signed.__eq__)
version_bumped = snapshot.signed.version > original_snapshot_signed.version
if snapshot.signed != original_snapshot_signed and not version_bumped:
snapshot.signed.version += 1
# sign and persist
... |
|
So this translates to "bump version right before sign/persist (for publication) if signed part has changed, unless the change already includes a version bump"? I think this makes sense as a rule of thumb. |
|
@lukpueh Yes, I think that translation covers it. |
lukpueh
added
repository
|
This issue should be resolved as part of #1136 either in code or in documentation. |
Description of issue or feature request:
After reading the TUF specification and studying the basic_repo.py example, one thing remains unclear to me:
It is clear that we need to increment the
signed.versionafter e.g. adding a new target, as detailed in the basic_repo.py example.However, what if we only modify
signed.expires, after a role has expired, without changing anything else? Do we also need to incrementsigned.versionin that case? That would imply e.g. the version oftimestampis incremented every time it is re-signed.In general, do we need to increment a role's
signed.versionevery time we re-sign that role, without exception?Current behavior:
It is not explicitly clear from the documentation when
signed.versionneeds to be incremented.Expected behavior:
It would be very helpful if the documentation/specification could clarify this point explicitly.
Perhaps the
basic_repo.pyexample could also show a snippet where an expired timestamp is re-signed (without any changes to the root, targets, or snapshot metadata).The text was updated successfully, but these errors were encountered: