Initial TUF integration with RubyGems

Vladimir Diaz vladimir.v.diaz at gmail.com
Wed Nov 20 23:16:12 UTC 2013


Canonical refers to Canonical JSON form, as specified at
http://wiki.laptop.org/go/Canonical_JSON .  It's a restricted dialect of
JSON in which keys are always lexically sorted, there is no whitespace,
floats aren't allowed, and only quote and backslash get escaped.

We set the key object<https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec.txt#L445-L449>(python
dictionary) in Canonical JSON form so that we generate a consistent
keyid.  It is not the SHA256 of the DER encoding, nor of the formatted json
in "root.txt".  We write json metadata as follows:

# The metadata object is saved to 'file_object'.  The keys
# of the objects are sorted and indentation is used.
json.dump(metadata, file_object, indent=1, sort_keys=True)


On Wed, Nov 20, 2013 at 5:41 PM, Tony Arcieri <bascule at gmail.com> wrote:

> I'm seeing a few discrepancies in root.txt. I'm looking at the encoding
> here:
>
> http://mirror1.poly.edu/test-rubygems/metadata/root.txt
>
> The PEM encoded pubkey doesn't have "\n" literals where newlines would
> ordinarily be. Instead it's using spaces?
>
> When I take the SHA256 digest of the DER encoding of the certificate in
> root.txt, I get:
>
>     6ee8101a3ff89933143ac714f7ab883329e1a65045e577238cf93507a30ccfa8
>
> This doesn't match the one in the document
> (a48adfc56133e328957ecbe2511b726573cfc02091dc534357f4a436b3da7cc7).
> According to the TUF specification:
>
>
>
>    The KEYID of a key is the hex representation of the SHA-256 hash of the
>    canonical encoding of the key.
>
>
> Does canonical encoding mean something other than DER here?
>
> On Wed, Nov 20, 2013 at 12:44 PM, Trishank Karthik Kuppusamy <
> tk47 at students.poly.edu> wrote:
>
>> Sounds great, thanks for letting us know! :)
>>
>> We will be sure to review the code. I am personally going to be busy the
>> next few hours, but I should have some free time to look at this later
>> tonight.
>>
>> On 11/20/2013 02:06 PM, Xavier Shay wrote:
>> > fwiw I'm working on cleaning up the rubygems.org <http://rubygems.org>
>> > code
>> > here:
>> https://github.com/square/rubygems.org/commits/tuf-metadata-generation
>> >
>> >
>> > On Wed, Nov 20, 2013 at 11:04 AM, Tony Arcieri <bascule at gmail.com
>> > <mailto:bascule at gmail.com>> wrote:
>> >
>> >     Hi there! The team here at Square has some code for you to look at
>> >     if you'd like to perform some initial review.
>> >
>> >     We're committing to the "tuf" branch on the Square fork of RubyGems
>> >     and RubyGems.org:
>> >
>> >     https://github.com/square/rubygems/commits/tuf
>> >     https://github.com/square/rubygems.org/commits/tuf
>> >
>> >     So far the server contains the main code spike, including the code
>> >     necessary to generate TUF metadata and download and verify a gem.
>> >
>> >     You can find the client here:
>> >
>> >
>> https://github.com/square/rubygems.org/blob/tuf/script/fetch-me-a-gem-with-tuf
>> >
>> >     We'll be moving this code into the RubyGems client, which is a bit
>> >     tricky as we can only depend on the standard library and still need
>> >     to work on ancient versions of Ruby that don't even ship a JSON
>> parser.
>> >
>> >     --
>> >     Tony Arcieri
>> >
>> >     --
>> >     You received this message because you are subscribed to the Google
>> >     Groups "RubyGems Update Framework" group.
>> >     To unsubscribe from this group and stop receiving emails from it,
>> >     send an email to rubygems-tuf+unsubscribe at googlegroups.com
>> >     <mailto:rubygems-tuf%2Bunsubscribe at googlegroups.com>.
>> >     For more options, visit https://groups.google.com/groups/opt_out.
>> >
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups "RubyGems Update Framework" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an email to rubygems-tuf+unsubscribe at googlegroups.com.
>> > For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>>
>
>
> --
> Tony Arcieri
>
> --
> You received this message because you are subscribed to the Google Groups
> "RubyGems Update Framework" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to rubygems-tuf+unsubscribe at googlegroups.com.
>
> For more options, visit https://groups.google.com/groups/opt_out.
>


More information about the RubyGems-Developers mailing list