Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to add a binary target file with offline keys #222

Open
doanac opened this issue Apr 15, 2019 · 7 comments
Open

How to add a binary target file with offline keys #222

doanac opened this issue Apr 15, 2019 · 7 comments

Comments

@doanac
Copy link

doanac commented Apr 15, 2019

I've been able to add binary target files to the repo server via the API(eg PUT api/v1/user_repo/targets/) and Web UI when I have online keys. However, my production instance uses offline keys. I'm not quite sure how to upload a file to the reposerver and have it added to my targets.json properly?
@doanac
Copy link
Author

doanac commented Aug 5, 2019

Another thing I've noticed is a more serious bug: When you add a target file through this API, all custom data not known by ota-tuf will be lost for all targets. I have a field target["custom"]["docker_apps"] that's getting wiped out for all my existing targets each time I use this API.

@simao
Copy link
Contributor

simao commented Aug 6, 2019

wrt to the 1st question, you'd have to use garage-sign to add that binary target. The server will not accept binary packages directly if the keys are offline, as it cannot sign the resulting metadata.

About the 2nd question, which version of tuf-repo are you using? This case is handled explicitly (

ota-tuf/reposerver/src/main/scala/com/advancedtelematic/tuf/reposerver/http/OfflineSignedRoleStorage.scala

Line 97 in dd3fab7

def saveTargetRole(targetStore: TargetStore)
) So this would definitely be bug...

@doanac
Copy link
Author

doanac commented Aug 6, 2019

I just discovered I'm running an out-of-tree version based on this PR:

#221

However, that PR include the commit you just referenced. Here's a simplified list of steps I can do to reproduce the issue:

#!/bin/sh -ex

garage-sign init --repo /tufrepo --credentials /credentials.zip
garage-sign targets pull --repo /tufrepo

cp /tufrepo/roles/unsigned/targets.json /tmp/targets-before.json

$data > app.txt

/tmp/ci-scripts/factory-containers/ota-dockerapp.py publish app.txt /credentials.zip 12 /tufrepo/roles/unsigned/targets.json

garage-sign targets pull --repo /tufrepo

I can the run something like the following:

~ # cat /tmp/targets-before.json  | grep docker_apps
        "docker_apps" : {
        "docker_apps" : {
~ # cat /tufrepo/
config.json      credentials.zip  keys/            roles/
~ # cat /tufrepo/roles/
root.json              targets.json.checksum  unsigned/
~ # cat /tufrepo/roles/unsigned/targets.json | grep docker_apps
~ #

which shows that all the targets with "docker_apps" in the custom data get lost.

@simao
Copy link
Contributor

simao commented Aug 7, 2019

What is app.txt and ota-dockerapp.py ? Which apis are they calling?

@simao
Copy link
Contributor

simao commented Aug 7, 2019

In any case, I just managed to reproduce this. We will create a ticket to fix this.

@tkfu
Copy link
Contributor

tkfu commented Nov 8, 2019

Should be fixed by #252. @doanac, can you verify?

@jochenschneider
Copy link
Contributor

Not deployed to production, yet, but will be soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@simao @doanac @tkfu @jochenschneider