Skip to content

tuf Updater: fix snapshot version rollback case#1061

Merged
loosebazooka merged 1 commit intosigstore:mainfrom
jku:fix-snapshot-version-rollback
Sep 2, 2025
Merged

tuf Updater: fix snapshot version rollback case#1061
loosebazooka merged 1 commit intosigstore:mainfrom
jku:fix-snapshot-version-rollback

Conversation

@jku
Copy link
Member

@jku jku commented Sep 1, 2025

The snapshot version listed in timestamp must never decrease (except if timestamp keys are rotated but that in that case local timestamp is not used at all).

This was a deviation from TUF specification but not a very serious one in context: In sigstores TUF repository the Timestamp/snapshot keys are exposed in the same environments so compromise in one means compromise for both (because of this they are in fact the same key). So tricks like snapshot version rollback are not that relevant.

@jku
tuf Updater: fix snapshot version rollback case
1ff338e 
The snapshot version listed in timestamp must never decrease
(except if timestamp keys are rotated but that in that case local timestamp
is not used at all).

This was a deviation from TUF specification but not a very serious one in
context: In sigstores TUF repository the Timestamp/snapshot keys are exposed
in the same environments so compromise in one means compromise for both
(because of this they are in fact the same key). So tricks like snapshot
version rollback are not that relevant.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
Copy link
Member Author

jku commented Sep 1, 2025
edited
Loading

The logs are a little light on details but my first guess is this examples.yaml failure is something unrelated?

2025-09-01T05:53:00.2039522Z Caused by: dev.sigstore.oidc.client.OidcException: Could not find an oidc provider
2025-09-01T05:53:00.2040101Z 	at dev.sigstore.oidc.client.OidcClients.getIDToken(OidcClients.java:65)
2025-09-01T05:53:00.2040656Z 	at dev.sigstore.KeylessSigner.renewSigningCertificate(KeylessSigner.java:593)
2025-09-01T05:53:00.2041187Z 	at dev.sigstore.KeylessSigner.sign(KeylessSigner.java:420)
2025-09-01T05:53:00.2041539Z 	... 27 more

@jku
Copy link
Member Author

jku commented Sep 1, 2025

oh, I guess the example test uses the workflow identity to sign so they just fail for all PRs from forks

@loosebazooka
Copy link
Member

loosebazooka commented Sep 2, 2025

oh, I guess the example test uses the workflow identity to sign so they just fail for all PRs from forks

Yeah, that's something I've been meaning to fix, but not pressing.

loosebazooka
loosebazooka approved these changes Sep 2, 2025
View reviewed changes
Copy link
Member

@loosebazooka loosebazooka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is so simple. Dunno why we never handled it 🤷

@loosebazooka loosebazooka merged commit f05d0a4 into sigstore:main Sep 2, 2025
12 of 17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@loosebazooka loosebazooka loosebazooka approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jku @loosebazooka

Comments