Initial TUF integration with RubyGems

Tony Arcieri bascule at gmail.com
Wed Nov 20 22:41:27 UTC 2013


I'm seeing a few discrepancies in root.txt. I'm looking at the encoding
here:

http://mirror1.poly.edu/test-rubygems/metadata/root.txt

The PEM encoded pubkey doesn't have "\n" literals where newlines would
ordinarily be. Instead it's using spaces?

When I take the SHA256 digest of the DER encoding of the certificate in
root.txt, I get:

    6ee8101a3ff89933143ac714f7ab883329e1a65045e577238cf93507a30ccfa8

This doesn't match the one in the document
(a48adfc56133e328957ecbe2511b726573cfc02091dc534357f4a436b3da7cc7).
According to the TUF specification:


   The KEYID of a key is the hex representation of the SHA-256 hash of the
   canonical encoding of the key.


Does canonical encoding mean something other than DER here?

On Wed, Nov 20, 2013 at 12:44 PM, Trishank Karthik Kuppusamy <
tk47 at students.poly.edu> wrote:

> Sounds great, thanks for letting us know! :)
>
> We will be sure to review the code. I am personally going to be busy the
> next few hours, but I should have some free time to look at this later
> tonight.
>
> On 11/20/2013 02:06 PM, Xavier Shay wrote:
> > fwiw I'm working on cleaning up the rubygems.org <http://rubygems.org>
> > code
> > here:
> https://github.com/square/rubygems.org/commits/tuf-metadata-generation
> >
> >
> > On Wed, Nov 20, 2013 at 11:04 AM, Tony Arcieri <bascule at gmail.com
> > <mailto:bascule at gmail.com>> wrote:
> >
> >     Hi there! The team here at Square has some code for you to look at
> >     if you'd like to perform some initial review.
> >
> >     We're committing to the "tuf" branch on the Square fork of RubyGems
> >     and RubyGems.org:
> >
> >     https://github.com/square/rubygems/commits/tuf
> >     https://github.com/square/rubygems.org/commits/tuf
> >
> >     So far the server contains the main code spike, including the code
> >     necessary to generate TUF metadata and download and verify a gem.
> >
> >     You can find the client here:
> >
> >
> https://github.com/square/rubygems.org/blob/tuf/script/fetch-me-a-gem-with-tuf
> >
> >     We'll be moving this code into the RubyGems client, which is a bit
> >     tricky as we can only depend on the standard library and still need
> >     to work on ancient versions of Ruby that don't even ship a JSON
> parser.
> >
> >     --
> >     Tony Arcieri
> >
> >     --
> >     You received this message because you are subscribed to the Google
> >     Groups "RubyGems Update Framework" group.
> >     To unsubscribe from this group and stop receiving emails from it,
> >     send an email to rubygems-tuf+unsubscribe at googlegroups.com
> >     <mailto:rubygems-tuf%2Bunsubscribe at googlegroups.com>.
> >     For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "RubyGems Update Framework" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to rubygems-tuf+unsubscribe at googlegroups.com.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
>
>


-- 
Tony Arcieri


More information about the RubyGems-Developers mailing list