Snapshotting doesn't verify the root.json manifest.

[asraa]

Currently Snapshot will verify signatures on all snapshotted manifests, but does not require verifying the root.json because root is no longer included in the Snapshot. (see #203)

Root.json was removed from snapshot.json here: https://github.com/theupdateframework/taps/blob/master/tap5.md#security-analysis

Should repo managers verify that root.json is valid before snapshotting? As a matter of robustness? Or should we handle this in our own client.

It seems odd to use the DBs from root to verify sigs on snapshotted manifests if the root is not properly signed.

See sigstore/root-signing#238

[JustinCappos]

I would think it should verify this. I'm not sure how you can check that the snapshot key is current / valid otherwise.

…

On Wed, May 18, 2022 at 1:51 AM asraa ***@***.***> wrote: Currently Snapshot will verify signatures on all snapshotted manifests, but does not require verifying the root.json because root is no longer included in the Snapshot. (see #203 <#203>) Root.json was removed from snapshot.json here: https://github.com/theupdateframework/taps/blob/master/tap5.md#security-analysis Should repo managers verify that root.json is valid before snapshotting? As a matter of robustness? Or should we handle this in our own client. See sigstore/root-signing#238 <sigstore/root-signing#238> — Reply to this email directly, view it on GitHub <#292>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGROD57CSAWOVYVEFHTSC3VKPMCRANCNFSM5WFXFPUQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[joshuagl]

Agreed that repository tooling should be verifying metadata as the tools proceeds through repository operations.

[asraa]

Awesome, the PR opened should do so!