Merge pull request #536 from jku/check-keyids-in-signing-event

repo: Ensure keyids are correct in signing event
theupdateframework · Feb 4, 2025 · e17a197 · e17a197
2 parents ffc260c + 2dceec4
commit e17a197
Show file tree

Hide file tree

Showing 32 changed files with 148 additions and 129 deletions.
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -2,6 +2,16 @@
 
 ## Unreleased
 
+## v0.16.0
+
+This release contains minor improvements to both repository and signer.
+
+* Verify keyid calculation in signing event (#536)
+* Improve error message when Yubikey authentication fails (#528)
+* Improve python project metadata (#533)
+
+Updating a repository from 0.15 does not require changes in GitHub workflow files.
+
 ## v0.15.2
 
 This point release fixes a bug introduced in 0.14.

diff --git a/repo/tuf_on_ci/_repository.py b/repo/tuf_on_ci/_repository.py
@@ -8,6 +8,8 @@
 from glob import glob
 
 from securesystemslib.exceptions import UnverifiedSignatureError
+from securesystemslib.formats import encode_canonical
+from securesystemslib.hash import digest
 from securesystemslib.signer import (
     KEY_FOR_TYPE_AND_SCHEME,
     SIGNER_FOR_URI_SCHEME,
@@ -371,6 +373,13 @@ def _validate_role(
                 if signing_days < 1 or expiry_days <= signing_days:
                     return False, "Online signing or expiry period failed sanity check"
 
+            for key in md.signed.keys.values():
+                data: bytes = encode_canonical(key.to_dict()).encode()
+                hasher = digest("sha256")
+                hasher.update(data)
+                if key.keyid != hasher.hexdigest():
+                    return False, f"Key {key.keyid} keyid does not match content hash"
+
         # TODO for root:
         # * check delegations are correct
 

diff --git a/repo/tuf_on_ci/_version.py b/repo/tuf_on_ci/_version.py
@@ -1 +1 @@
-__version__ = "0.15.2"
+__version__ = "0.16.0"
diff --git a/signer/tuf_on_ci_sign/__init__.py b/signer/tuf_on_ci_sign/__init__.py
@@ -2,6 +2,6 @@
 from tuf_on_ci_sign.import_repo import import_repo
 from tuf_on_ci_sign.sign import sign
 
-__version__ = "0.15.2"
+__version__ = "0.16.0"
 
 __all__ = ["delegate", "import_repo", "sign"]
diff --git a/signer/tuf_on_ci_sign/delegate.py b/signer/tuf_on_ci_sign/delegate.py
@@ -263,7 +263,7 @@ def _collect_online_key(user_config: User) -> Key:
             uri = f"file2:{os.getenv('TUF_ON_CI_TEST_KEY')}"
             pub_key = "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
             return SSlibKey(
-                "fa47289",
+                "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34",
                 "ed25519",
                 "ed25519",
                 {"public": pub_key},

diff --git a/tests/expected/basic/metadata/1.root.json b/tests/expected/basic/metadata/1.root.json
@@ -10,21 +10,21 @@
   "consistent_snapshot": true,
   "expires": "2022-02-03T01:02:03Z",
   "keys": {
+   "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34": {
+    "keytype": "ed25519",
+    "keyval": {
+     "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
+    },
+    "scheme": "ed25519",
+    "x-tuf-on-ci-online-uri": "file2:online-test-key"
+   },
    "ddadf0c54d24c3429a36b7ad8434414fa35b80922497d2c99067261d38746460": {
     "keytype": "ecdsa",
     "keyval": {
      "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJ3pswWmx9Bx2VBcpqaooQFA7dQnhRafh\ntj942eg086x6EMHdfgdox9TbwGm7sU2sn/gyjyDr1ez8Ld2ORnyYJ8cAlegfTqNq\nE0eSrLrb+YpzQJxLwh6qWcSngF99Unft\n-----END PUBLIC KEY-----\n"
     },
     "scheme": "ecdsa-sha2-nistp384",
     "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1"
-   },
-   "fa47289": {
-    "keytype": "ed25519",
-    "keyval": {
-     "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
-    },
-    "scheme": "ed25519",
-    "x-tuf-on-ci-online-uri": "file2:online-test-key"
    }
   },
   "roles": {
@@ -36,7 +36,7 @@
    },
    "snapshot": {
     "keyids": [
-     "fa47289"
+     "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34"
     ],
     "threshold": 1,
     "x-tuf-on-ci-expiry-period": 365,
@@ -50,7 +50,7 @@
    },
    "timestamp": {
     "keyids": [
-     "fa47289"
+     "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34"
     ],
     "threshold": 1,
     "x-tuf-on-ci-expiry-period": 2,

diff --git a/tests/expected/basic/metadata/1.snapshot.json b/tests/expected/basic/metadata/1.snapshot.json
@@ -1,7 +1,7 @@
 {
  "signatures": [
   {
-   "keyid": "fa47289",
+   "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34",
    "sig": "XXX"
   }
  ],

diff --git a/tests/expected/basic/metadata/timestamp.json b/tests/expected/basic/metadata/timestamp.json
@@ -1,7 +1,7 @@
 {
  "signatures": [
   {
-   "keyid": "fa47289",
+   "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34",
    "sig": "XXX"
   }
  ],

diff --git a/tests/expected/delegated/metadata/1.root.json b/tests/expected/delegated/metadata/1.root.json
@@ -10,21 +10,21 @@
   "consistent_snapshot": true,
   "expires": "2022-02-03T01:02:03Z",
   "keys": {
+   "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34": {
+    "keytype": "ed25519",
+    "keyval": {
+     "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
+    },
+    "scheme": "ed25519",
+    "x-tuf-on-ci-online-uri": "file2:online-test-key"
+   },
    "ddadf0c54d24c3429a36b7ad8434414fa35b80922497d2c99067261d38746460": {
     "keytype": "ecdsa",
     "keyval": {
      "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJ3pswWmx9Bx2VBcpqaooQFA7dQnhRafh\ntj942eg086x6EMHdfgdox9TbwGm7sU2sn/gyjyDr1ez8Ld2ORnyYJ8cAlegfTqNq\nE0eSrLrb+YpzQJxLwh6qWcSngF99Unft\n-----END PUBLIC KEY-----\n"
     },
     "scheme": "ecdsa-sha2-nistp384",
     "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1"
-   },
-   "fa47289": {
-    "keytype": "ed25519",
-    "keyval": {
-     "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
-    },
-    "scheme": "ed25519",
-    "x-tuf-on-ci-online-uri": "file2:online-test-key"
    }
   },
   "roles": {
@@ -36,7 +36,7 @@
    },
    "snapshot": {
     "keyids": [
-     "fa47289"
+     "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34"
     ],
     "threshold": 1,
     "x-tuf-on-ci-expiry-period": 365,
@@ -50,7 +50,7 @@
    },
    "timestamp": {
     "keyids": [
-     "fa47289"
+     "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34"
     ],
     "threshold": 1,
     "x-tuf-on-ci-expiry-period": 2,

diff --git a/tests/expected/delegated/metadata/2.snapshot.json b/tests/expected/delegated/metadata/2.snapshot.json
@@ -1,7 +1,7 @@
 {
  "signatures": [
   {
-   "keyid": "fa47289",
+   "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34",
    "sig": "XXX"
   }
  ],

diff --git a/tests/expected/delegated/metadata/timestamp.json b/tests/expected/delegated/metadata/timestamp.json
@@ -1,7 +1,7 @@
 {
  "signatures": [
   {
-   "keyid": "fa47289",
+   "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34",
    "sig": "XXX"
   }
  ],

diff --git a/tests/expected/multi-user-signing/metadata/1.root.json b/tests/expected/multi-user-signing/metadata/1.root.json
@@ -18,21 +18,21 @@
     "scheme": "ecdsa-sha2-nistp384",
     "x-tuf-on-ci-keyowner": "@tuf-on-ci-user2"
    },
+   "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34": {
+    "keytype": "ed25519",
+    "keyval": {
+     "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
+    },
+    "scheme": "ed25519",
+    "x-tuf-on-ci-online-uri": "file2:online-test-key"
+   },
    "ddadf0c54d24c3429a36b7ad8434414fa35b80922497d2c99067261d38746460": {
     "keytype": "ecdsa",
     "keyval": {
      "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJ3pswWmx9Bx2VBcpqaooQFA7dQnhRafh\ntj942eg086x6EMHdfgdox9TbwGm7sU2sn/gyjyDr1ez8Ld2ORnyYJ8cAlegfTqNq\nE0eSrLrb+YpzQJxLwh6qWcSngF99Unft\n-----END PUBLIC KEY-----\n"
     },
     "scheme": "ecdsa-sha2-nistp384",
     "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1"
-   },
-   "fa47289": {
-    "keytype": "ed25519",
-    "keyval": {
-     "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
-    },
-    "scheme": "ed25519",
-    "x-tuf-on-ci-online-uri": "file2:online-test-key"
    }
   },
   "roles": {
@@ -44,7 +44,7 @@
    },
    "snapshot": {
     "keyids": [
-     "fa47289"
+     "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34"
     ],
     "threshold": 1,
     "x-tuf-on-ci-expiry-period": 365,
@@ -59,7 +59,7 @@
    },
    "timestamp": {
     "keyids": [
-     "fa47289"
+     "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34"
     ],
     "threshold": 1,
     "x-tuf-on-ci-expiry-period": 2,

diff --git a/tests/expected/multi-user-signing/metadata/1.snapshot.json b/tests/expected/multi-user-signing/metadata/1.snapshot.json
@@ -1,7 +1,7 @@
 {
  "signatures": [
   {
-   "keyid": "fa47289",
+   "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34",
    "sig": "XXX"
   }
  ],

diff --git a/tests/expected/multi-user-signing/metadata/2.root.json b/tests/expected/multi-user-signing/metadata/2.root.json
@@ -18,21 +18,21 @@
     "scheme": "ecdsa-sha2-nistp384",
     "x-tuf-on-ci-keyowner": "@tuf-on-ci-user2"
    },
+   "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34": {
+    "keytype": "ed25519",
+    "keyval": {
+     "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
+    },
+    "scheme": "ed25519",
+    "x-tuf-on-ci-online-uri": "file2:online-test-key"
+   },
    "ddadf0c54d24c3429a36b7ad8434414fa35b80922497d2c99067261d38746460": {
     "keytype": "ecdsa",
     "keyval": {
      "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJ3pswWmx9Bx2VBcpqaooQFA7dQnhRafh\ntj942eg086x6EMHdfgdox9TbwGm7sU2sn/gyjyDr1ez8Ld2ORnyYJ8cAlegfTqNq\nE0eSrLrb+YpzQJxLwh6qWcSngF99Unft\n-----END PUBLIC KEY-----\n"
     },
     "scheme": "ecdsa-sha2-nistp384",
     "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1"
-   },
-   "fa47289": {
-    "keytype": "ed25519",
-    "keyval": {
-     "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
-    },
-    "scheme": "ed25519",
-    "x-tuf-on-ci-online-uri": "file2:online-test-key"
    }
   },
   "roles": {
@@ -44,7 +44,7 @@
    },
    "snapshot": {
     "keyids": [
-     "fa47289"
+     "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34"
     ],
     "threshold": 1,
     "x-tuf-on-ci-expiry-period": 365,
@@ -59,7 +59,7 @@
    },
    "timestamp": {
     "keyids": [
-     "fa47289"
+     "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34"
     ],
     "threshold": 1,
     "x-tuf-on-ci-expiry-period": 5,

diff --git a/tests/expected/multi-user-signing/metadata/timestamp.json b/tests/expected/multi-user-signing/metadata/timestamp.json
@@ -1,7 +1,7 @@
 {
  "signatures": [
   {
-   "keyid": "fa47289",
+   "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34",
    "sig": "XXX"
   }
  ],

diff --git a/tests/expected/online-version-bump/metadata/1.root.json b/tests/expected/online-version-bump/metadata/1.root.json
@@ -10,21 +10,21 @@
   "consistent_snapshot": true,
   "expires": "2022-02-03T01:02:03Z",
   "keys": {
+   "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34": {
+    "keytype": "ed25519",
+    "keyval": {
+     "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
+    },
+    "scheme": "ed25519",
+    "x-tuf-on-ci-online-uri": "file2:online-test-key"
+   },
    "ddadf0c54d24c3429a36b7ad8434414fa35b80922497d2c99067261d38746460": {
     "keytype": "ecdsa",
     "keyval": {
      "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJ3pswWmx9Bx2VBcpqaooQFA7dQnhRafh\ntj942eg086x6EMHdfgdox9TbwGm7sU2sn/gyjyDr1ez8Ld2ORnyYJ8cAlegfTqNq\nE0eSrLrb+YpzQJxLwh6qWcSngF99Unft\n-----END PUBLIC KEY-----\n"
     },
     "scheme": "ecdsa-sha2-nistp384",
     "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1"
-   },
-   "fa47289": {
-    "keytype": "ed25519",
-    "keyval": {
-     "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
-    },
-    "scheme": "ed25519",
-    "x-tuf-on-ci-online-uri": "file2:online-test-key"
    }
   },
   "roles": {
@@ -36,7 +36,7 @@
    },
    "snapshot": {
     "keyids": [
-     "fa47289"
+     "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34"
     ],
     "threshold": 1,
     "x-tuf-on-ci-expiry-period": 10,
@@ -50,7 +50,7 @@
    },
    "timestamp": {
     "keyids": [
-     "fa47289"
+     "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34"
     ],
     "threshold": 1,
     "x-tuf-on-ci-expiry-period": 2,

diff --git a/tests/expected/online-version-bump/metadata/2.snapshot.json b/tests/expected/online-version-bump/metadata/2.snapshot.json
@@ -1,7 +1,7 @@
 {
  "signatures": [
   {
-   "keyid": "fa47289",
+   "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34",
    "sig": "XXX"
   }
  ],

diff --git a/tests/expected/online-version-bump/metadata/timestamp.json b/tests/expected/online-version-bump/metadata/timestamp.json
@@ -1,7 +1,7 @@
 {
  "signatures": [
   {
-   "keyid": "fa47289",
+   "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34",
    "sig": "XXX"
   }
  ],