Skip to content

Raise an error on loading/writing unsigned metadata #1100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 2, 2020
Merged

Raise an error on loading/writing unsigned metadata #1100

merged 4 commits into from
Oct 2, 2020

Conversation

sechkova
Copy link
Contributor

@sechkova sechkova commented Aug 6, 2020
edited
Loading

Fixes issue #: #1050

Description of the changes being introduced by the pull request:

  • Modify check_signable_object_format() to raise an error if signable has an empty 'signatures' list.
  • Remove usage of empty signing keys lists in developer_tool
  • Update test cases which use unsigned metadata.

Note Marked as WIP since test_root_rotation_missing_keys correctly fails due to a known verification issue on the Updater (#1101)

Please verify and check that the pull request fulfills the following
requirements:

  • The code follows the Code Style Guidelines
  • Tests have been added for the bug fix or new feature
  • Docs have been added for the bug fix or new feature

@sechkova sechkova mentioned this pull request Aug 6, 2020
Closed
@sechkova sechkova changed the title [WIP] Raise an error on loading/writing unsigned metadata Raise an error on loading/writing unsigned metadata Aug 19, 2020
@sechkova
Copy link
Contributor Author

No longer WIP since the merging of #1101 and ready for review.

joshuagl
joshuagl requested changes Sep 2, 2020
View reviewed changes
Copy link
Member

@joshuagl joshuagl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @sechkova. Obviously this needs rebasing on recent changes in develop and I've requested a change in test_developer_tool to ensure we're testing behaviour we expect to support.

I've also added a question to my more experienced colleagues on the use of partially signed metadata.

@sechkova
Copy link
Contributor Author

Thanks all for sharing your opinion!
Taking the discussion into account I decided to keep the error raised in check_signable_object_format() if signable has an empty 'signatures' list but to except it and log a warning in repository_lib (and developer_tool).
This way we both keep the current functionality allowing for signing offline and we require developers to justify their actions when using check_signable_object_format() with unsigned metadata. And the error is still raised on the client side when loading unsigned metadata file.

I removed the assert cases expecting an error from the tests but still kept the rest which in my opinion improves their logic in general.

Let me know what do you think

@joshuagl
Copy link
Member

I like that a client loading unsigned metadata causes an error, yet we still support generating metadata on the repository for offline signing.

What do you think @trishankatdatadog @mnm678 ?

@mnm678
Copy link
Contributor

mnm678 commented Sep 28, 2020

This looks good to me! What should the behavior be is there are less than a threshold of signatures on the metadata? Should this also cause the error?

@trishankatdatadog
Copy link
Member

Client definitely has to unwaveringly and uncompromisingly strict: no threshold of sigs, no go.

As for repository/developer tools, I'm okay with explicit warnings.

@sechkova
Copy link
Contributor Author

This looks good to me! What should the behavior be is there are less than a threshold of signatures on the metadata? Should this also cause the error?

The threshold of signatures is validated by sig.verify() and the changes in this PR don't affect this.

In the client logic sig.verify() is always called (often hidden down in the call stack) after check_signable_object_format().
The only exception is Updater.__init__ where metadata which is assumed trusted is loaded. In this case check_signable_object_format() will now raise an error if the metadata is unsigned.

Anyway, if you have some doubts and you think it is worth the effort I can add a couple of tests for updater that will clarify this behaviour.

@mnm678
Copy link
Contributor

mnm678 commented Sep 29, 2020

Sorry, my question wasn't clear. I meant what happens if the repository tries to write metadata that has less than a threshold of signatures? The error will be raised if there are no signatures, but I don't think it will if there are less than a threshold of signatures.

@sechkova
Copy link
Contributor Author

sechkova commented Sep 30, 2020
edited
Loading

Let me try to explain my vision of it and hopefully all are on the same page.

On the repository side:

  1. Current behaviour (before this set of changes):
  • sig.verify ensures that threshold of signatures is met during writing of metadata
  • if allow_partially_signed is enabled, there is no check of a threshold of signatures or if metadata is signed at all

A more detailed discussion is in #1050.

  1. After the changes included in this PR:
  • sig.verify ensures that threshold of signatures is met during writing of metadata
  • if allow_partially_signed is enabled, after taking into account the discussion here, only a warning will be logged when the metadata is unsigned. Nothing will happen if the metadata is signed but a threshold of signatures is not met (I guess this is expected since allow_partially_signed is chosen). Maybe another warning in this case?

@mnm678
Copy link
Contributor

mnm678 commented Sep 30, 2020

Let me try to explain my vision of it and hopefully all are on the same page.

Thanks, I think this helps.

Nothing will happen if the metadata is signed but a threshold of signatures is not met (I guess this is expected since `allow_partially_signed` is chosen). Maybe another warning in this case?

This is what I wanted to make sure we clarify. If allow_partially_signed is already specified, I'm not sure another warning is needed, but I just want to make sure the behavior makes sense to users.

@joshuagl
Copy link
Member

joshuagl commented Oct 1, 2020

Thanks for the explanations @sechkova and for the discussion @mnm678 – seems like we agree this change is good to merge?

@sechkova
Raise error on empty 'signatures' list
d3c612b 
Modify  check_signable_object_format() to raise an error
if signable has an empty 'signatures' list.

Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
@sechkova
Log warning on UnsignedMetadataError in repository_lib
e0086d6 
Except the UnsignedMetadataError generated by
check_signable_object_format() and log a warning.

When creating metadata objects on the repository side of TUF,
a use case may exist where  metadata is generated unsigned on
one machine and signed on another.

Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
@sechkova
Update test_repository_lib and test_formats
2738883 
Modify test cases which use unsigned metadata.
Update test_sign_metadata to check for empty key list.

Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
@sechkova
Update test_updater_root_rotation_integration
bebf19a 
Modify test_root_rotation_missing_keys to not use an empty signing
keys list.

Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
joshuagl
joshuagl approved these changes Oct 2, 2020
View reviewed changes
Copy link
Member

@joshuagl joshuagl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent, thanks!

@joshuagl joshuagl merged commit d51dbb8 into theupdateframework:develop Oct 2, 2020
@sechkova sechkova deleted the issue-1050 branch March 25, 2021 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mnm678 mnm678 mnm678 left review comments

@trishankatdatadog trishankatdatadog trishankatdatadog left review comments

@joshuagl joshuagl joshuagl approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sechkova @joshuagl @mnm678 @trishankatdatadog