You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
in-toto signature verifying API -- verifylib.in_toto_verify() and Metablock.verify_signature() -- expects a json/dict representation of a public key to be passed as argument. This is useful, if the key is taken directly from in-toto metadata.
However, layout verification keys are not included in in-toto metadata, and need to be loaded from somewhere else, e.g. a public key file.
As in-toto/securesystemslib is deprecating legacy key file formats and functions, we should document other ways of loading verification keys.
The following snippet is used internally by in-toto-verify to load standard PEM/SubjectPublicKeyInfo files using pyca/cryptography and the securesystemslib Key interface:
fromcryptography.hazmat.primitives.serializationimportload_pem_public_keyfromsecuresystemslib.signerimportSSlibKeydef_load_public_key_from_file(path: str) ->Dict[str, Any]:
"""Internal helper to load key from SubjectPublicKeyInfo/PEM file."""withopen(path, "rb") asf:
data=f.read()
crypto_public_key=load_pem_public_key(data)
key=SSlibKey.from_crypto(crypto_public_key)
# Create a key_dict, which is accepted by `verifylib.in_toto_verify` or `Metablock.verify_signature`# NOTE: securesystemslib and in-toto key dicts differ:# the former don't include the keyid, which the latter requirekey_dict=key.to_dict()
key_dict["keyid"] =key.keyidreturnkey_dict
Preferred solution
improve securesystemslib documentation for Signer and Key interfaces, which already implement various ways of loading public keys from different key providers
make Key a first-class citizen in in-toto:
change in-toto signature verification API to accept Key instances instead of key dictionaries
related: change in-toto metadata class model, to load Key instances at metadata deserialisation time
The text was updated successfully, but these errors were encountered:
Hey @lukpueh ,
I want to work on this issue. Could you give me some guidance on how to proceed? I have already worked with the signer and keys in a demo project.
"We need to change the verify_signature function in both the Metablock and Metadata classes in metadata.py, as well as the verify_metadata_signatures function in verifylib.py. Additionally, we should update the verifylib.in_toto_verify function call in in-toto-verify.py. Can you confirm if this is the right direction?"
in-toto signature verifying API --
verifylib.in_toto_verify()
andMetablock.verify_signature()
-- expects a json/dict representation of a public key to be passed as argument. This is useful, if the key is taken directly from in-toto metadata.However, layout verification keys are not included in in-toto metadata, and need to be loaded from somewhere else, e.g. a public key file.
As in-toto/securesystemslib is deprecating legacy key file formats and functions, we should document other ways of loading verification keys.
The following snippet is used internally by
in-toto-verify
to load standard PEM/SubjectPublicKeyInfo files using pyca/cryptography and the securesystemslibKey
interface:Preferred solution
Key
a first-class citizen in in-toto:Key
instances instead of key dictionariesKey
instances at metadata deserialisation timeThe text was updated successfully, but these errors were encountered: