Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encountering a problem when attempting to operate TUF in high-availability mode. #683

Open
VikramPunnam opened this issue Dec 8, 2023 · 2 comments
Open

Encountering a problem when attempting to operate TUF in high-availability mode. #683

VikramPunnam opened this issue Dec 8, 2023 · 2 comments
Labels
question Further information is requested

Comments

@VikramPunnam
Copy link

I've installed the scaffold helm chart version 0.6.34 on the private EKS cluster and enabled high availability (e.g., 2 replicas) for all Sigstore components.
TUF Version: v0.6.9

However, when attempting to initialize cosign locally with the TUF server endpoint, I encounter the following error. It works well with a single replica, but not with multiple replicas.

Error Log:
I have no name!@88ee01017644:/cosign-keys$ cosign initialize --root https://dev-tuf.xxxx.local/root.json --mirror https://dev-tuf.xxxx.local
Error: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download snapshot.json: wrong sha512 hash, expected ca750294e29cf4be22f1107e2b242dc02f1ee67331f6307c72a3c791229e4521c1afc070d312a1fc961ad82a517ea70c86b4cbb5fd640fe66fc78f36f0f28ecb got 10e3ca2fc51ac0a7bf44488b320595cef4e7231955b6dc67ea229229acad22c7cf4f46cdec3856d4f5891e7df48550cc65dd309664faf8db052a32bf81ec78ea
remote status:{
"mirror": "https://dev-tuf.xxxx.local",
"metadata": {
"root.json": {
"version": 1,
"len": 2178,
"expiration": "08 Jun 24 11:52 UTC",
"error": ""
},
"snapshot.json": {
"version": 1,
"len": 617,
"expiration": "08 Jun 24 11:52 UTC",
"error": ""
},
"targets.json": {
"version": 1,
"len": 716,
"expiration": "08 Jun 24 11:51 UTC",
"error": ""
},
"timestamp.json": {
"version": 1,
"len": 619,
"expiration": "08 Jun 24 11:51 UTC",
"error": ""
}
}
}
main.go:74: error during command execution: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download snapshot.json: wrong sha512 hash, expected ca750294e29cf4be22f1107e2b242dc02f1ee67331f6307c72a3c791229e4521c1afc070d312a1fc961ad82a517ea70c86b4cbb5fd640fe66fc78f36f0f28ecb got 10e3ca2fc51ac0a7bf44488b320595cef4e7231955b6dc67ea229229acad22c7cf4f46cdec3856d4f5891e7df48550cc65dd309664faf8db052a32bf81ec78ea
remote status:{
"mirror": "https://dev-tuf.xxxx.local",
"metadata": {
"root.json": {
"version": 1,
"len": 2178,
"expiration": "08 Jun 24 11:52 UTC",
"error": ""
},
"snapshot.json": {
"version": 1,
"len": 617,
"expiration": "08 Jun 24 11:52 UTC",
"error": ""
},
"targets.json": {
"version": 1,
"len": 716,
"expiration": "08 Jun 24 11:51 UTC",
"error": ""
},
"timestamp.json": {
"version": 1,
"len": 619,
"expiration": "08 Jun 24 11:51 UTC",
"error": ""
}
}
}

Please help to resolve the above issue.
@VikramPunnam VikramPunnam added the question Further information is requested label Dec 8, 2023
@VikramPunnam
Copy link
Author

Hi,

Can anyone please suggest on the above issue?

@vipulagarwal
Copy link
Contributor

The current implementation of tuf-server in scaffolding does not support multiple replicas.

It would be great to have this feature though. When running private Sigstore, it would be easy to just fetch the TUF root from the tuf-server using the --root <url> rather than managing the offline copy of the TUF root. Highly available tuf-server will definitely help in such implementation.

Please correct me if this is the wrong/insecure approach.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vipulagarwal @VikramPunnam