Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

targets: Use online root meta if not found locally #394

Merged
merged 1 commit into from
Apr 16, 2024
Merged

targets: Use online root meta if not found locally #394

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion subcommands/targets/offline-update.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -512,7 +512,10 @@ func getLatestRoot(bundleTufPath string) (*client.AtsTufRoot, error) {
if !errors.Is(readErr, os.ErrNotExist) {
return nil, readErr
}

if latestVersionBytes == nil {
// None of the N.root.json where N starts from 3 was found in the bundle
return nil, os.ErrNotExist
}
rootMeta := client.AtsTufRoot{}
if err := json.Unmarshal(latestVersionBytes, &rootMeta); err != nil {
return nil, err
Expand Down Expand Up @@ -562,6 +565,12 @@ func doShowBundle(cmd *cobra.Command, args []string) {
}

rootMeta, err := getLatestRoot(tufMetaPath)
if errors.Is(err, os.ErrNotExist) && bundleMeta.ouBundleMeta.Type == "ci" {
// If no any N.root.json is found in the bundle and this is the "ci" bundle,
// then this is the valid case - a user has not taken their TUF targets key offline.
// Therefore, instead of failing the command fetches the root meta from the backend.
rootMeta, err = api.TufRootGet(viper.GetString("factory"))
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean that TUF root versions 1 and 2 are never included into the update bundle?
This seems strange, but I might be out of context.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. From the security standpoint of view this the right things to do, otherwise anyone can generate their own chain of TUF keys and put into a bundle. Then, a non-registered device will trust it.
However, we protect our devices from it by pre-provisioning them with the first N root versions...

subcommands.DieNotNil(err)
fmt.Println("\tAllowed keys:")
for _, key := range rootMeta.Signed.Roles["targets"].KeyIDs {
Expand Down
Loading