-
Notifications
You must be signed in to change notification settings - Fork 551
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bump github.com/theupdateframework/go-tuf to v0.6.0 and update deprecated package #3128
Conversation
…ated package Signed-off-by: cpanato <ctadeu@gmail.com>
To be explicit, after theupdateframework/go-tuf#467 this changes the parameters in generated keys in such a way that the private keys can’t be used by older binaries (new binaries which update to this I don’t have a strong opinion on whether to make this change, I would just like to make sure it is an intentional one. |
Thanks for the heads up @mtrmac. If I'm understanding correctly, this would be a major breaking change for Cosign since all previously generated keys would become unusable. My feeling is that the outdated scrypt parameters are not a high priority risk because the encrypted private key is hard to brute force, so we should not break existing key users. If we want to start a migration to this new library, we should a) split the marshal function into Read and Create, b) switch Create to use the new @znewman01 fyi |
(Warning: I didn’t actually test that.) No, I understand the breakage goes the other way: all newly generated keys would not be usable by old Cosign (and Podman) binaries. |
To keep the old compatible format, use (And that wouldn’t help anyway, because the version in |
Sweet, that would be perfect, let's use that for now. It is a little annoying for the verifier if anyone is distributing their Cosign public key and the verifier needs to update Cosign, so I'd prefer we do that in a separate PR after some more discussion around semver. |
This only affects the private key . It is annoying all the same, but perhaps fewer people. |
Yeah, the only issue with the change in key format is if
In general, I'm comfortable saying we don't need backwards compat for new keys. But in the interest of getting this merged, let's just use the |
Note: don't merge until we understand theupdateframework/go-tuf#527 fully |
sigstore/sigstore has been updated to v1.7.2 with a fix, or we can wait for go-tuf's 0.6.1 patch. Let's use |
Closing in favor of #3183 |
Summary