From 4a671007a27dde6da9ffa604362d1b1a1156fb32 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Mon, 3 Feb 2025 18:05:59 +0200 Subject: [PATCH 1/4] repo: Ensure keyids are correct in signing event The signing tool already does this but makes sense to verify in signing-event (since metadata can be modified outside the signing tools). --- repo/tuf_on_ci/_repository.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/repo/tuf_on_ci/_repository.py b/repo/tuf_on_ci/_repository.py index 7e3cac4..465a44a 100644 --- a/repo/tuf_on_ci/_repository.py +++ b/repo/tuf_on_ci/_repository.py @@ -8,6 +8,8 @@ from glob import glob from securesystemslib.exceptions import UnverifiedSignatureError +from securesystemslib.formats import encode_canonical +from securesystemslib.hash import digest from securesystemslib.signer import ( KEY_FOR_TYPE_AND_SCHEME, SIGNER_FOR_URI_SCHEME, @@ -371,6 +373,13 @@ def _validate_role( if signing_days < 1 or expiry_days <= signing_days: return False, "Online signing or expiry period failed sanity check" + for key in md.signed.keys.values(): + data: bytes = encode_canonical(key.to_dict()).encode() + hasher = digest("sha256") + hasher.update(data) + if key.keyid != hasher.hexdigest(): + return False, f"Key {key.keyid} keyid does not match content hash" + # TODO for root: # * check delegations are correct From 32524b43fdcdc8539888ebf3e98ad7df49c0048c Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Mon, 3 Feb 2025 18:26:57 +0200 Subject: [PATCH 2/4] Fix the test key keyid There is a private embedded in the code for e2e tests to use. This key has an "incorrect" keyid (hash does not match) --- signer/tuf_on_ci_sign/delegate.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/signer/tuf_on_ci_sign/delegate.py b/signer/tuf_on_ci_sign/delegate.py index 7e290e4..74aa140 100755 --- a/signer/tuf_on_ci_sign/delegate.py +++ b/signer/tuf_on_ci_sign/delegate.py @@ -263,7 +263,7 @@ def _collect_online_key(user_config: User) -> Key: uri = f"file2:{os.getenv('TUF_ON_CI_TEST_KEY')}" pub_key = "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" return SSlibKey( - "fa47289", + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "ed25519", "ed25519", {"public": pub_key}, From f8f9b5adaf166b7a139beb4c1f27d76659a40f19 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Mon, 3 Feb 2025 18:36:46 +0200 Subject: [PATCH 3/4] tests: Update expected results The test key keyid changed: this means all expected results also change. The only real change is the keyid, but this means the ordering of keys changes so it looks like a larger change. --- tests/expected/basic/metadata/1.root.json | 20 +++++++++---------- tests/expected/basic/metadata/1.snapshot.json | 2 +- tests/expected/basic/metadata/timestamp.json | 2 +- tests/expected/delegated/metadata/1.root.json | 20 +++++++++---------- .../delegated/metadata/2.snapshot.json | 2 +- .../delegated/metadata/timestamp.json | 2 +- .../multi-user-signing/metadata/1.root.json | 20 +++++++++---------- .../metadata/1.snapshot.json | 2 +- .../multi-user-signing/metadata/2.root.json | 20 +++++++++---------- .../metadata/timestamp.json | 2 +- .../online-version-bump/metadata/1.root.json | 20 +++++++++---------- .../metadata/2.snapshot.json | 2 +- .../metadata/timestamp.json | 2 +- .../root-key-rotation/metadata/1.root.json | 20 +++++++++---------- .../metadata/1.snapshot.json | 2 +- .../root-key-rotation/metadata/2.root.json | 20 +++++++++---------- .../root-key-rotation/metadata/timestamp.json | 2 +- .../metadata/1.root.json | 20 +++++++++---------- .../metadata/2.root.json | 20 +++++++++---------- .../metadata/3.snapshot.json | 2 +- .../metadata/timestamp.json | 2 +- .../target-file-changes/metadata/1.root.json | 20 +++++++++---------- .../metadata/2.snapshot.json | 2 +- .../metadata/timestamp.json | 2 +- .../metadata/1.root.json | 20 +++++++++---------- .../metadata/2.snapshot.json | 2 +- .../metadata/timestamp.json | 2 +- 27 files changed, 126 insertions(+), 126 deletions(-) diff --git a/tests/expected/basic/metadata/1.root.json b/tests/expected/basic/metadata/1.root.json index 179feb1..5963fc2 100644 --- a/tests/expected/basic/metadata/1.root.json +++ b/tests/expected/basic/metadata/1.root.json @@ -10,6 +10,14 @@ "consistent_snapshot": true, "expires": "2022-02-03T01:02:03Z", "keys": { + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34": { + "keytype": "ed25519", + "keyval": { + "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" + }, + "scheme": "ed25519", + "x-tuf-on-ci-online-uri": "file2:online-test-key" + }, "ddadf0c54d24c3429a36b7ad8434414fa35b80922497d2c99067261d38746460": { "keytype": "ecdsa", "keyval": { @@ -17,14 +25,6 @@ }, "scheme": "ecdsa-sha2-nistp384", "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1" - }, - "fa47289": { - "keytype": "ed25519", - "keyval": { - "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" - }, - "scheme": "ed25519", - "x-tuf-on-ci-online-uri": "file2:online-test-key" } }, "roles": { @@ -36,7 +36,7 @@ }, "snapshot": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 365, @@ -50,7 +50,7 @@ }, "timestamp": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 2, diff --git a/tests/expected/basic/metadata/1.snapshot.json b/tests/expected/basic/metadata/1.snapshot.json index b7d74d0..bd159cf 100644 --- a/tests/expected/basic/metadata/1.snapshot.json +++ b/tests/expected/basic/metadata/1.snapshot.json @@ -1,7 +1,7 @@ { "signatures": [ { - "keyid": "fa47289", + "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "sig": "XXX" } ], diff --git a/tests/expected/basic/metadata/timestamp.json b/tests/expected/basic/metadata/timestamp.json index fe7c49a..10a991b 100644 --- a/tests/expected/basic/metadata/timestamp.json +++ b/tests/expected/basic/metadata/timestamp.json @@ -1,7 +1,7 @@ { "signatures": [ { - "keyid": "fa47289", + "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "sig": "XXX" } ], diff --git a/tests/expected/delegated/metadata/1.root.json b/tests/expected/delegated/metadata/1.root.json index 179feb1..5963fc2 100644 --- a/tests/expected/delegated/metadata/1.root.json +++ b/tests/expected/delegated/metadata/1.root.json @@ -10,6 +10,14 @@ "consistent_snapshot": true, "expires": "2022-02-03T01:02:03Z", "keys": { + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34": { + "keytype": "ed25519", + "keyval": { + "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" + }, + "scheme": "ed25519", + "x-tuf-on-ci-online-uri": "file2:online-test-key" + }, "ddadf0c54d24c3429a36b7ad8434414fa35b80922497d2c99067261d38746460": { "keytype": "ecdsa", "keyval": { @@ -17,14 +25,6 @@ }, "scheme": "ecdsa-sha2-nistp384", "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1" - }, - "fa47289": { - "keytype": "ed25519", - "keyval": { - "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" - }, - "scheme": "ed25519", - "x-tuf-on-ci-online-uri": "file2:online-test-key" } }, "roles": { @@ -36,7 +36,7 @@ }, "snapshot": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 365, @@ -50,7 +50,7 @@ }, "timestamp": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 2, diff --git a/tests/expected/delegated/metadata/2.snapshot.json b/tests/expected/delegated/metadata/2.snapshot.json index 00a83e2..70e1ecd 100644 --- a/tests/expected/delegated/metadata/2.snapshot.json +++ b/tests/expected/delegated/metadata/2.snapshot.json @@ -1,7 +1,7 @@ { "signatures": [ { - "keyid": "fa47289", + "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "sig": "XXX" } ], diff --git a/tests/expected/delegated/metadata/timestamp.json b/tests/expected/delegated/metadata/timestamp.json index 7ba9b2f..08d95e6 100644 --- a/tests/expected/delegated/metadata/timestamp.json +++ b/tests/expected/delegated/metadata/timestamp.json @@ -1,7 +1,7 @@ { "signatures": [ { - "keyid": "fa47289", + "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "sig": "XXX" } ], diff --git a/tests/expected/multi-user-signing/metadata/1.root.json b/tests/expected/multi-user-signing/metadata/1.root.json index 237c8d6..46d93e7 100644 --- a/tests/expected/multi-user-signing/metadata/1.root.json +++ b/tests/expected/multi-user-signing/metadata/1.root.json @@ -18,6 +18,14 @@ "scheme": "ecdsa-sha2-nistp384", "x-tuf-on-ci-keyowner": "@tuf-on-ci-user2" }, + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34": { + "keytype": "ed25519", + "keyval": { + "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" + }, + "scheme": "ed25519", + "x-tuf-on-ci-online-uri": "file2:online-test-key" + }, "ddadf0c54d24c3429a36b7ad8434414fa35b80922497d2c99067261d38746460": { "keytype": "ecdsa", "keyval": { @@ -25,14 +33,6 @@ }, "scheme": "ecdsa-sha2-nistp384", "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1" - }, - "fa47289": { - "keytype": "ed25519", - "keyval": { - "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" - }, - "scheme": "ed25519", - "x-tuf-on-ci-online-uri": "file2:online-test-key" } }, "roles": { @@ -44,7 +44,7 @@ }, "snapshot": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 365, @@ -59,7 +59,7 @@ }, "timestamp": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 2, diff --git a/tests/expected/multi-user-signing/metadata/1.snapshot.json b/tests/expected/multi-user-signing/metadata/1.snapshot.json index b7d74d0..bd159cf 100644 --- a/tests/expected/multi-user-signing/metadata/1.snapshot.json +++ b/tests/expected/multi-user-signing/metadata/1.snapshot.json @@ -1,7 +1,7 @@ { "signatures": [ { - "keyid": "fa47289", + "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "sig": "XXX" } ], diff --git a/tests/expected/multi-user-signing/metadata/2.root.json b/tests/expected/multi-user-signing/metadata/2.root.json index 47f4dbd..3280a09 100644 --- a/tests/expected/multi-user-signing/metadata/2.root.json +++ b/tests/expected/multi-user-signing/metadata/2.root.json @@ -18,6 +18,14 @@ "scheme": "ecdsa-sha2-nistp384", "x-tuf-on-ci-keyowner": "@tuf-on-ci-user2" }, + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34": { + "keytype": "ed25519", + "keyval": { + "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" + }, + "scheme": "ed25519", + "x-tuf-on-ci-online-uri": "file2:online-test-key" + }, "ddadf0c54d24c3429a36b7ad8434414fa35b80922497d2c99067261d38746460": { "keytype": "ecdsa", "keyval": { @@ -25,14 +33,6 @@ }, "scheme": "ecdsa-sha2-nistp384", "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1" - }, - "fa47289": { - "keytype": "ed25519", - "keyval": { - "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" - }, - "scheme": "ed25519", - "x-tuf-on-ci-online-uri": "file2:online-test-key" } }, "roles": { @@ -44,7 +44,7 @@ }, "snapshot": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 365, @@ -59,7 +59,7 @@ }, "timestamp": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 5, diff --git a/tests/expected/multi-user-signing/metadata/timestamp.json b/tests/expected/multi-user-signing/metadata/timestamp.json index fe7c49a..10a991b 100644 --- a/tests/expected/multi-user-signing/metadata/timestamp.json +++ b/tests/expected/multi-user-signing/metadata/timestamp.json @@ -1,7 +1,7 @@ { "signatures": [ { - "keyid": "fa47289", + "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "sig": "XXX" } ], diff --git a/tests/expected/online-version-bump/metadata/1.root.json b/tests/expected/online-version-bump/metadata/1.root.json index 65db06a..de34710 100644 --- a/tests/expected/online-version-bump/metadata/1.root.json +++ b/tests/expected/online-version-bump/metadata/1.root.json @@ -10,6 +10,14 @@ "consistent_snapshot": true, "expires": "2022-02-03T01:02:03Z", "keys": { + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34": { + "keytype": "ed25519", + "keyval": { + "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" + }, + "scheme": "ed25519", + "x-tuf-on-ci-online-uri": "file2:online-test-key" + }, "ddadf0c54d24c3429a36b7ad8434414fa35b80922497d2c99067261d38746460": { "keytype": "ecdsa", "keyval": { @@ -17,14 +25,6 @@ }, "scheme": "ecdsa-sha2-nistp384", "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1" - }, - "fa47289": { - "keytype": "ed25519", - "keyval": { - "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" - }, - "scheme": "ed25519", - "x-tuf-on-ci-online-uri": "file2:online-test-key" } }, "roles": { @@ -36,7 +36,7 @@ }, "snapshot": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 10, @@ -50,7 +50,7 @@ }, "timestamp": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 2, diff --git a/tests/expected/online-version-bump/metadata/2.snapshot.json b/tests/expected/online-version-bump/metadata/2.snapshot.json index 786cdbd..d8912a0 100644 --- a/tests/expected/online-version-bump/metadata/2.snapshot.json +++ b/tests/expected/online-version-bump/metadata/2.snapshot.json @@ -1,7 +1,7 @@ { "signatures": [ { - "keyid": "fa47289", + "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "sig": "XXX" } ], diff --git a/tests/expected/online-version-bump/metadata/timestamp.json b/tests/expected/online-version-bump/metadata/timestamp.json index 9d02263..d95d143 100644 --- a/tests/expected/online-version-bump/metadata/timestamp.json +++ b/tests/expected/online-version-bump/metadata/timestamp.json @@ -1,7 +1,7 @@ { "signatures": [ { - "keyid": "fa47289", + "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "sig": "XXX" } ], diff --git a/tests/expected/root-key-rotation/metadata/1.root.json b/tests/expected/root-key-rotation/metadata/1.root.json index 179feb1..5963fc2 100644 --- a/tests/expected/root-key-rotation/metadata/1.root.json +++ b/tests/expected/root-key-rotation/metadata/1.root.json @@ -10,6 +10,14 @@ "consistent_snapshot": true, "expires": "2022-02-03T01:02:03Z", "keys": { + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34": { + "keytype": "ed25519", + "keyval": { + "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" + }, + "scheme": "ed25519", + "x-tuf-on-ci-online-uri": "file2:online-test-key" + }, "ddadf0c54d24c3429a36b7ad8434414fa35b80922497d2c99067261d38746460": { "keytype": "ecdsa", "keyval": { @@ -17,14 +25,6 @@ }, "scheme": "ecdsa-sha2-nistp384", "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1" - }, - "fa47289": { - "keytype": "ed25519", - "keyval": { - "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" - }, - "scheme": "ed25519", - "x-tuf-on-ci-online-uri": "file2:online-test-key" } }, "roles": { @@ -36,7 +36,7 @@ }, "snapshot": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 365, @@ -50,7 +50,7 @@ }, "timestamp": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 2, diff --git a/tests/expected/root-key-rotation/metadata/1.snapshot.json b/tests/expected/root-key-rotation/metadata/1.snapshot.json index b7d74d0..bd159cf 100644 --- a/tests/expected/root-key-rotation/metadata/1.snapshot.json +++ b/tests/expected/root-key-rotation/metadata/1.snapshot.json @@ -1,7 +1,7 @@ { "signatures": [ { - "keyid": "fa47289", + "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "sig": "XXX" } ], diff --git a/tests/expected/root-key-rotation/metadata/2.root.json b/tests/expected/root-key-rotation/metadata/2.root.json index 2ca1c6f..fe9c29e 100644 --- a/tests/expected/root-key-rotation/metadata/2.root.json +++ b/tests/expected/root-key-rotation/metadata/2.root.json @@ -22,6 +22,14 @@ "scheme": "ecdsa-sha2-nistp384", "x-tuf-on-ci-keyowner": "@tuf-on-ci-user2" }, + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34": { + "keytype": "ed25519", + "keyval": { + "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" + }, + "scheme": "ed25519", + "x-tuf-on-ci-online-uri": "file2:online-test-key" + }, "ddadf0c54d24c3429a36b7ad8434414fa35b80922497d2c99067261d38746460": { "keytype": "ecdsa", "keyval": { @@ -29,14 +37,6 @@ }, "scheme": "ecdsa-sha2-nistp384", "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1" - }, - "fa47289": { - "keytype": "ed25519", - "keyval": { - "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" - }, - "scheme": "ed25519", - "x-tuf-on-ci-online-uri": "file2:online-test-key" } }, "roles": { @@ -48,7 +48,7 @@ }, "snapshot": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 365, @@ -62,7 +62,7 @@ }, "timestamp": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 2, diff --git a/tests/expected/root-key-rotation/metadata/timestamp.json b/tests/expected/root-key-rotation/metadata/timestamp.json index fe7c49a..10a991b 100644 --- a/tests/expected/root-key-rotation/metadata/timestamp.json +++ b/tests/expected/root-key-rotation/metadata/timestamp.json @@ -1,7 +1,7 @@ { "signatures": [ { - "keyid": "fa47289", + "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "sig": "XXX" } ], diff --git a/tests/expected/signing-event-creation/metadata/1.root.json b/tests/expected/signing-event-creation/metadata/1.root.json index 3bf7ec5..621a2d0 100644 --- a/tests/expected/signing-event-creation/metadata/1.root.json +++ b/tests/expected/signing-event-creation/metadata/1.root.json @@ -10,6 +10,14 @@ "consistent_snapshot": true, "expires": "2021-02-10T01:02:03Z", "keys": { + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34": { + "keytype": "ed25519", + "keyval": { + "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" + }, + "scheme": "ed25519", + "x-tuf-on-ci-online-uri": "file2:online-test-key" + }, "ddadf0c54d24c3429a36b7ad8434414fa35b80922497d2c99067261d38746460": { "keytype": "ecdsa", "keyval": { @@ -17,14 +25,6 @@ }, "scheme": "ecdsa-sha2-nistp384", "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1" - }, - "fa47289": { - "keytype": "ed25519", - "keyval": { - "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" - }, - "scheme": "ed25519", - "x-tuf-on-ci-online-uri": "file2:online-test-key" } }, "roles": { @@ -36,7 +36,7 @@ }, "snapshot": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 7, @@ -50,7 +50,7 @@ }, "timestamp": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 2, diff --git a/tests/expected/signing-event-creation/metadata/2.root.json b/tests/expected/signing-event-creation/metadata/2.root.json index f42aeef..25d122a 100644 --- a/tests/expected/signing-event-creation/metadata/2.root.json +++ b/tests/expected/signing-event-creation/metadata/2.root.json @@ -10,6 +10,14 @@ "consistent_snapshot": true, "expires": "2021-02-12T01:02:03Z", "keys": { + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34": { + "keytype": "ed25519", + "keyval": { + "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" + }, + "scheme": "ed25519", + "x-tuf-on-ci-online-uri": "file2:online-test-key" + }, "ddadf0c54d24c3429a36b7ad8434414fa35b80922497d2c99067261d38746460": { "keytype": "ecdsa", "keyval": { @@ -17,14 +25,6 @@ }, "scheme": "ecdsa-sha2-nistp384", "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1" - }, - "fa47289": { - "keytype": "ed25519", - "keyval": { - "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" - }, - "scheme": "ed25519", - "x-tuf-on-ci-online-uri": "file2:online-test-key" } }, "roles": { @@ -36,7 +36,7 @@ }, "snapshot": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 7, @@ -50,7 +50,7 @@ }, "timestamp": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 2, diff --git a/tests/expected/signing-event-creation/metadata/3.snapshot.json b/tests/expected/signing-event-creation/metadata/3.snapshot.json index fd56e11..cd66ebc 100644 --- a/tests/expected/signing-event-creation/metadata/3.snapshot.json +++ b/tests/expected/signing-event-creation/metadata/3.snapshot.json @@ -1,7 +1,7 @@ { "signatures": [ { - "keyid": "fa47289", + "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "sig": "XXX" } ], diff --git a/tests/expected/signing-event-creation/metadata/timestamp.json b/tests/expected/signing-event-creation/metadata/timestamp.json index 1dbca0b..2b049ac 100644 --- a/tests/expected/signing-event-creation/metadata/timestamp.json +++ b/tests/expected/signing-event-creation/metadata/timestamp.json @@ -1,7 +1,7 @@ { "signatures": [ { - "keyid": "fa47289", + "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "sig": "XXX" } ], diff --git a/tests/expected/target-file-changes/metadata/1.root.json b/tests/expected/target-file-changes/metadata/1.root.json index 237c8d6..46d93e7 100644 --- a/tests/expected/target-file-changes/metadata/1.root.json +++ b/tests/expected/target-file-changes/metadata/1.root.json @@ -18,6 +18,14 @@ "scheme": "ecdsa-sha2-nistp384", "x-tuf-on-ci-keyowner": "@tuf-on-ci-user2" }, + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34": { + "keytype": "ed25519", + "keyval": { + "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" + }, + "scheme": "ed25519", + "x-tuf-on-ci-online-uri": "file2:online-test-key" + }, "ddadf0c54d24c3429a36b7ad8434414fa35b80922497d2c99067261d38746460": { "keytype": "ecdsa", "keyval": { @@ -25,14 +33,6 @@ }, "scheme": "ecdsa-sha2-nistp384", "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1" - }, - "fa47289": { - "keytype": "ed25519", - "keyval": { - "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" - }, - "scheme": "ed25519", - "x-tuf-on-ci-online-uri": "file2:online-test-key" } }, "roles": { @@ -44,7 +44,7 @@ }, "snapshot": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 365, @@ -59,7 +59,7 @@ }, "timestamp": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 2, diff --git a/tests/expected/target-file-changes/metadata/2.snapshot.json b/tests/expected/target-file-changes/metadata/2.snapshot.json index 1154239..b74954d 100644 --- a/tests/expected/target-file-changes/metadata/2.snapshot.json +++ b/tests/expected/target-file-changes/metadata/2.snapshot.json @@ -1,7 +1,7 @@ { "signatures": [ { - "keyid": "fa47289", + "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "sig": "XXX" } ], diff --git a/tests/expected/target-file-changes/metadata/timestamp.json b/tests/expected/target-file-changes/metadata/timestamp.json index 7ba9b2f..08d95e6 100644 --- a/tests/expected/target-file-changes/metadata/timestamp.json +++ b/tests/expected/target-file-changes/metadata/timestamp.json @@ -1,7 +1,7 @@ { "signatures": [ { - "keyid": "fa47289", + "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "sig": "XXX" } ], diff --git a/tests/expected/target-files-in-delegated-roles/metadata/1.root.json b/tests/expected/target-files-in-delegated-roles/metadata/1.root.json index 179feb1..5963fc2 100644 --- a/tests/expected/target-files-in-delegated-roles/metadata/1.root.json +++ b/tests/expected/target-files-in-delegated-roles/metadata/1.root.json @@ -10,6 +10,14 @@ "consistent_snapshot": true, "expires": "2022-02-03T01:02:03Z", "keys": { + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34": { + "keytype": "ed25519", + "keyval": { + "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" + }, + "scheme": "ed25519", + "x-tuf-on-ci-online-uri": "file2:online-test-key" + }, "ddadf0c54d24c3429a36b7ad8434414fa35b80922497d2c99067261d38746460": { "keytype": "ecdsa", "keyval": { @@ -17,14 +25,6 @@ }, "scheme": "ecdsa-sha2-nistp384", "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1" - }, - "fa47289": { - "keytype": "ed25519", - "keyval": { - "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3" - }, - "scheme": "ed25519", - "x-tuf-on-ci-online-uri": "file2:online-test-key" } }, "roles": { @@ -36,7 +36,7 @@ }, "snapshot": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 365, @@ -50,7 +50,7 @@ }, "timestamp": { "keyids": [ - "fa47289" + "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34" ], "threshold": 1, "x-tuf-on-ci-expiry-period": 2, diff --git a/tests/expected/target-files-in-delegated-roles/metadata/2.snapshot.json b/tests/expected/target-files-in-delegated-roles/metadata/2.snapshot.json index 76ef868..a06348a 100644 --- a/tests/expected/target-files-in-delegated-roles/metadata/2.snapshot.json +++ b/tests/expected/target-files-in-delegated-roles/metadata/2.snapshot.json @@ -1,7 +1,7 @@ { "signatures": [ { - "keyid": "fa47289", + "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "sig": "XXX" } ], diff --git a/tests/expected/target-files-in-delegated-roles/metadata/timestamp.json b/tests/expected/target-files-in-delegated-roles/metadata/timestamp.json index 7ba9b2f..08d95e6 100644 --- a/tests/expected/target-files-in-delegated-roles/metadata/timestamp.json +++ b/tests/expected/target-files-in-delegated-roles/metadata/timestamp.json @@ -1,7 +1,7 @@ { "signatures": [ { - "keyid": "fa47289", + "keyid": "cda7a53138556e7c0d1737e4ba32868f3cf287e78ab9366c820115ce11383d34", "sig": "XXX" } ], From 2dceec40ebff204d641d45e9cf1f6fa37fb6901f Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Tue, 4 Feb 2025 10:41:17 +0200 Subject: [PATCH 4/4] Prepare release 0.16 --- docs/CHANGELOG.md | 10 ++++++++++ repo/tuf_on_ci/_version.py | 2 +- signer/tuf_on_ci_sign/__init__.py | 2 +- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index be0aaa4..0861f9c 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -2,6 +2,16 @@ ## Unreleased +## v0.16.0 + +This release contains minor improvements to both repository and signer. + +* Verify keyid calculation in signing event (#536) +* Improve error message when Yubikey authentication fails (#528) +* Improve python project metadata (#533) + +Updating a repository from 0.15 does not require changes in GitHub workflow files. + ## v0.15.2 This point release fixes a bug introduced in 0.14. diff --git a/repo/tuf_on_ci/_version.py b/repo/tuf_on_ci/_version.py index c0d4999..5a313cc 100644 --- a/repo/tuf_on_ci/_version.py +++ b/repo/tuf_on_ci/_version.py @@ -1 +1 @@ -__version__ = "0.15.2" +__version__ = "0.16.0" diff --git a/signer/tuf_on_ci_sign/__init__.py b/signer/tuf_on_ci_sign/__init__.py index d1ecd83..e2a7f63 100644 --- a/signer/tuf_on_ci_sign/__init__.py +++ b/signer/tuf_on_ci_sign/__init__.py @@ -2,6 +2,6 @@ from tuf_on_ci_sign.import_repo import import_repo from tuf_on_ci_sign.sign import sign -__version__ = "0.15.2" +__version__ = "0.16.0" __all__ = ["delegate", "import_repo", "sign"]