compatibility: sigstore metadata expiry is incompatible #1858

jku · 2022-02-11T17:46:59Z

https://github.com/sigstore/root-signing/blob/main/repository/repository/1.root.json

expiry contains microseconds
expiry contains a timezone offset

we don't consider this spec compliant and currently fail to load this metadata. Should file a bug on go-tuf I suppose?

In addition to this securesystemslib fails to load the ecdsa keys they use: #1859.

jku · 2022-02-11T17:56:25Z

cc @rdimitrov

joshuagl · 2022-02-12T17:15:50Z

There's some discussion about this in a go-tuf issue theupdateframework/go-tuf#136

jku · 2022-10-31T08:17:36Z

🙏 current sigstore metadata works with python-tuf-ngclient ( boostrap from 5.root.json only). Thanks Asra and others who worked on this!

Now would be a good time to start working on a compliance test suite...

jku mentioned this issue Feb 11, 2022

ngclient: Test against other implementations #1756

Open

jku changed the title ~~compatibility issue: sigstore metadata expiry is incompatible~~ compatibility: sigstore metadata expiry is incompatible Feb 12, 2022

jku mentioned this issue Feb 14, 2022

TUF expiry contains microseconds sigstore/root-signing#103

Closed

jku closed this as completed Oct 31, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

compatibility: sigstore metadata expiry is incompatible #1858

compatibility: sigstore metadata expiry is incompatible #1858

jku commented Feb 11, 2022 •

edited

Loading

jku commented Feb 11, 2022

joshuagl commented Feb 12, 2022

jku commented Oct 31, 2022 •

edited

Loading

compatibility: sigstore metadata expiry is incompatible #1858

compatibility: sigstore metadata expiry is incompatible #1858

Comments

jku commented Feb 11, 2022 • edited Loading

jku commented Feb 11, 2022

joshuagl commented Feb 12, 2022

jku commented Oct 31, 2022 • edited Loading

jku commented Feb 11, 2022 •

edited

Loading

jku commented Oct 31, 2022 •

edited

Loading