Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Properly verify delegated metadata signatures #279

Open
wellsie1116 opened this issue Feb 5, 2020 · 0 comments
Open

Properly verify delegated metadata signatures #279

wellsie1116 opened this issue Feb 5, 2020 · 0 comments

Comments

@wellsie1116
Copy link

Since the delegating targets defines the valid keys a delegated targets can be signed by, it is possible for delegated targets to be valid when accessed via one target path and invalid when accessed via another. tuf::Tuf currently stores a mapping of role to the delegated targets metadata, but that information is insufficient to know which keys should be used to verify metadata given to update_delegation.

Additionally, tuf::Tuf currently depends on tuf::Client correctly calling update_delegation for every link in the delegation chain when resolving a target. Ideally, tuf::Tuf wouldn't depend on tuf::Client calling APIs in the correct order.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant