Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GPGSignature loads and dumps different dict key #418

Closed
PradyumnaKrishna opened this issue Jul 8, 2022 · 2 comments · Fixed by #419
Closed

GPGSignature loads and dumps different dict key #418

PradyumnaKrishna opened this issue Jul 8, 2022 · 2 comments · Fixed by #419

Comments

@PradyumnaKrishna
Copy link
Contributor

PradyumnaKrishna commented Jul 8, 2022
edited
Loading

Description of issue or feature request:
GPGSignature's to_dict method returns a signature key in dict but requires a sig key in from_dict method.

Also, GPGSignature schema in formats has field signature instead of sig that is used by a Signature. isn't DSSE signatures have sig for signatures?

Current behavior:
GPGSignature from_dict and to_dict methods are not configured properly and will not load a dumped dict of a self.

securesystemslib/securesystemslib/signer.py

Lines 129 to 133 in 873f276

return cls(
signature_dict["keyid"],
signature_dict["sig"],
signature_dict["other_headers"]
)

securesystemslib/securesystemslib/signer.py

Lines 138 to 142 in 873f276

return {
"keyid": self.keyid,
"signature": self.signature,
"other_headers": self.other_headers
}

Expected behavior:
Either use sig or signature for both methods and representation of GPGSignature.

Related to DSSE
My idea is to implement GPGKey similar to SSlibKey implementation as provided in #416 (comment) so that external representation won't affect the verification.

Regarding GPGSignature I think we should use sig and we can parse both sig and signature in from_dict method of GPGSignature.

whats your opinion @lukpueh?
@lukpueh
Copy link
Member

lukpueh commented Jul 11, 2022

Good find, @PradyumnaKrishna! Regardless of what the name is, GPGSignature's from_dict and to_dict should really use the same, so that serialize(deserialize(data)) == data. Would you mind fixing this upstream (in this repo)?

Regarding what name it should be:

  1. "signature" makes it easier to start using GPGSignature with existing (in-toto) metadata.
  2. "sig" makes it compliant with the DSSE envelope spec ("The following fields are REQUIRED and MUST be set, even if empty: [...] signature.sig").

I think either way is fine but lean towards 1 for the time being because of backwards-compatibility and because it seems simpler (e.g. we don't have to translate sig<->signature when calling securesystemslib.gpg.functions). Let's decide whether we want to deprecate "signatures" in favor of "sig", and whether we want to have a period where we accept both later. We can do this when we start integrating DSSE with in-toto, I'm sure we'll find a few more backwards-/cross-compatibility issues.

cc @MVrachev

@lukpueh
Copy link
Member

lukpueh commented Jul 11, 2022

My idea is to implement GPGKey similar to SSlibKey implementation as provided in #416 (comment) so that external representation won't affect the verification.

👍

PradyumnaKrishna added a commit to PradyumnaKrishna/securesystemslib that referenced this issue Jul 11, 2022
@PradyumnaKrishna
Fix serialization in GPGSignature and formatting
ecd7ef0 
GPG signature requires `sig` on load but dumps `signature` key in a
dict which should be the same key name secure-systems-lab#418.
Some formatting fixes are made to the singer.py.

Signed-off-by: Pradyumna Krishna <[email protected]>
@PradyumnaKrishna PradyumnaKrishna mentioned this issue Jul 11, 2022
Merged
3 tasks
@lukpueh lukpueh mentioned this issue Nov 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix serialization in GPGSignature and formatting PradyumnaKrishna/securesystemslib
2 participants
@lukpueh @PradyumnaKrishna