-
Notifications
You must be signed in to change notification settings - Fork 275
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implementation of Offline mode for TUF #2359
Comments
@jku @woodruffw correct me if I'm missing any details here |
Thanks for writing this down. I will have a look at the PR by tomorrow. We had a TUF maintainer meeting in kubecon last week and discussed this area. The general consensus was:
|
I'll also copy-paste my definition of the use-case -- I believe this is inline with what you wrote in the original description:
|
Note that in the above description, if the application always uses "offline mode" after downloading for the first time, metadata never gets updated after that... So application is now left to implement some sort "max offline" time |
I think this is the only point I have some trepidation around 🙂 -- if the metadata in question expires weekly (or less frequently), then IMO a hard error case for expired local metadata makes more sense than success (presumably with lots of warnings about expiry). On the other hand, if these expires are <24 hours or similar, then this makes sense to me. Otherwise, everything in #2359 (comment) sounds good, and is aligned with what we'd like on the |
Yeah I could easily be convinced to always respect expiry: it's definitely the part that makes me most vary of this... It should be noted that the way sigstore clients are currently used in a lot of places would not get a lot of benefit from an offline implementation that does always respect expiry dates: in a lot of cases the client is run in a clean environment on CI so the metadata is always expired. The real fix for that issue might be to document caching and to make it as easy as possible -- so that TUF metadata gets cached and re-used. |
Yeah, good point, and agreed -- that raises some interesting threat model/attack questions (what can an attacker do if they control the store that the TUF cache gets loaded from?), but IMO those questions largely boil down to "attacker controls the host" and that's already a "game over" scenario (since they could just rewrite the root of trust anyways). (I also think, at least for CI workflows, that it makes sense to strongly encourage users to prefer online operations: they're online anyways due to the CI being online, and the privacy concerns aren't quite as salient since it isn't a personal machine. So, at least for |
Ok, have spent a little more time with this. There's a thread on sigstore slack (https://sigstore.slack.com/archives/C024FPJKC6L/p1694691208834919) but documenting some technical details here:
|
Documented my thinking here: Main takeaway: I don't think a user option "--offline" in sigstore or other TUF using app makes sense unless we also allow expired metadata -- otherwise it will be very difficult for users to figure out when the app will work and when it will fail |
Hello, I've recently taken up a new job that is absorbing most of my time; thus I don't believe I will be able to offer work on this at a meaningful pace. I would be happy to offer assistance to anyone else who wanted to work on this at another time tho |
I have a untested branch of offline (non-expiry-respecting) mode in develop...jku:python-tuf:offline-mode -- It's based on the work in the existing PR and I think it looks complete now but next step is writing a bunch of tests and seeing if that's true... |
I can take a look at it tonight |
This has been implemented in #2472, but not been merged for the reasons summarised in #2472 (comment). In short: there is little advantage of using TUF in offline mode, over not using TUF at all. To leverage that advantage, other work is required, which is not a priority at the moment. |
Sigstore's python client would like to use the TUF updater in a fully offline manner to allow for opt-in offline verification. To do so would require TUF to function using only locally-stored materials.
Within TUF's current implementation, regardless of the validity of already-stored materials, online access is always required. Thus far, we've been able to run the updater on a modified branch using only local materials and seek to expand this modification to allow for opt-in usage of expired metadata in offline mode. This would be useful for clients like sigstore that would to allow for verification with metadata that was previously valid. A primary use case for this would involve verifying on machines that do not necessarily maintain a connection online.
Changes on our experimental branch have been within updater.py and have consisted of adding a new boolean to UpdaterConfig and avoiding online refreshes if said boolean has been set. Further implementation would require changes to trusted_metadata_set.py to skip checks against the expiry of the metadata if the aforementioned boolean has been set.
Ideally the flow of TUF's updater with these changes would go as follows, given the boolean is set:
The text was updated successfully, but these errors were encountered: