[pkg-resolver] create client with and without keyid_hash_algorithms

Before this patch, the resolver assumed that all tuf keys should have the `"keyid_hash_algorithms": ["sha256"]` specified. However this field was only added to check compatibility with python-tuf, and python-tuf is [considering] getting rid of them, if they can figure out how to do it without breaking their current users. So we'd like to migrate away from using them to avoid having to have these fields around for all time. This is the first step is to allow us to verify the initial TUF metadata with two variations of the root TUF keys, one with, and one without the keyid_hash_algorithms specified. This is safe (as in we won't double count a key) as long as the metadata doesn't list the same key multiple times with different keyids. Once everyone has migrated over to the new metadata that doesn't mention `keyid_hash_algorithms`, we can get rid of the call to `PublicKey::from_ed25519_with_keyid_hash_algorithms`. [considering]: theupdateframework/python-tuf#848 Fixed: 44490 Change-Id: Ib84ca4551b9d68f322039215ba40996608d6ca58
vsrinivas · Jan 29, 2020 · 13dce59 · 13dce59
1 parent f88d2f0
commit 13dce59
Showing 1 changed file with 17 additions and 8 deletions.
diff --git a/src/sys/pkg/bin/pkg-resolver/src/repository.rs b/src/sys/pkg/bin/pkg-resolver/src/repository.rs
@@ -89,18 +89,27 @@ impl Repository {
  mirror_config: &MirrorConfig,
  node: inspect::Node,
  ) -> Result<Self, anyhow::Error> {
- let root_keys = config
- .root_keys()
- .iter()
- .map(|key| match key {
+ let mut root_keys = vec![];
+
+ // FIXME(42863) we used keyid_hash_algorithms in order to verify compatibility with the
+ // TUF-1.0 spec against python-tuf. python-tuf is thinking about removing
+ // keyid_hash_algorithms, so there's no real reason for us to use them anymore. In order to
+ // do this in a forward-compatible way, we need to create 2 `tuf::PublicKey` keys, one with
+ // a keyid_hash_algorithms specified, and one without. This will let us migrate the
+ // metadata without needing to modify the resolver. Once everyone has migrated over, we can
+ // remove our use of `PublicKey::from_ed25519_with_keyid_hash_algorithms`.
+ for key in config.root_keys().iter() {
+ match key {
  RepositoryKey::Ed25519(bytes) => {
- PublicKey::from_ed25519_with_keyid_hash_algorithms(
+ root_keys.push(PublicKey::from_ed25519(bytes.clone())?);
+ root_keys.push(PublicKey::from_ed25519_with_keyid_hash_algorithms(
  bytes.clone(),
  Some(vec!["sha256".to_string()]),
- )
+ )?);
  }
- })
- .collect::<Result<Vec<PublicKey>, _>>()?;
+ }
+ }
+
  Ok(Self {
  updating_client:
  updating_tuf_client::UpdatingTufClient::from_tuf_client_and_mirror_config(