Skip to content

Add TUF schema files #246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 37 commits into
base: master
Choose a base branch
from
Draft

Add TUF schema files #246

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
37 commits
Select commit Hold shift + click to select a range
dc9fe0b
Add TUF and in-toto schema files
Aug 25, 2022
24dc032
Remove files specific to Datadog agent integrations
Sep 1, 2022
885ea58
Minimum allowed version in 1 in timestamps.schema.json
Sep 1, 2022
767c54a
Allow versions without patch release number in timestamp.schema.json
Sep 1, 2022
6b6d6fb
Allow optional patch version in spec_version field
Sep 1, 2022
850f864
Require only targets.json in snapshot schema
Sep 1, 2022
40247c4
Version numbers are always 1 or above
Sep 1, 2022
975c34a
Neither specific targets nor delegations are expected in targets.json
Sep 1, 2022
4c22256
Use explicit pattern for datetime format
Sep 1, 2022
46281e4
Add missing version to targets.schema.json
Sep 1, 2022
fb56026
Loosen requirement on keyids
Sep 1, 2022
3a253ff
Let users specify signature scheme
Sep 1, 2022
84ad9f4
Add optional parts of the METAFILES section in snapshot.json
Sep 1, 2022
d6731dc
Field consistent_snapshot is optional in root.json
Sep 1, 2022
2affedf
Add optional mirror role to root.json
Sep 1, 2022
05fdf4b
Additionally specify targets in targets.json schema
Sep 1, 2022
17f3efd
Targets is a required property in targets.json
Sep 1, 2022
e6b6832
Specify schema of delegations in targets.json
Sep 1, 2022
3a59b30
Adjust targets section of targets.json
Sep 1, 2022
945bd6f
Fix schema for targets in targets.json
Sep 1, 2022
c6c6674
Minimum version number is 1
Sep 1, 2022
7705ca9
Provide schema for mirrors.json
Sep 6, 2022
a5f6a0e
Remove keyid_hash_algorithms from root.json schema
Sep 8, 2022
d9b0672
Remove schema for mirrors.json
Sep 8, 2022
5579cfa
Allow additional properties for keys to capture also keyid_hash_algor…
Sep 8, 2022
99843d9
Add schema for map.json file
Sep 8, 2022
9fb5926
Adjust schema for map.json - no need to have signed content
Sep 8, 2022
e17ccfb
Mention JSON schema files in TUF specification
Sep 9, 2022
62067e2
Relax requirement on signitures
Sep 11, 2022
1e6a129
Keyids can be SHA256
Sep 11, 2022
39d2add
SHA256/SHA512 are not required
Sep 11, 2022
c423ee2
Custom key is not required in targets.json schema
Sep 11, 2022
bcc2c17
Use JSON date-time format for expires
Sep 11, 2022
4efec41
Be more specific about keys allowed in targets.json delegations
Sep 13, 2022
a037d25
Bump date in TUF spec
Sep 13, 2022
dba81f9
Revert to using pattern for expires
Sep 14, 2022
ecc07c9
Bump version of tuf spec
Sep 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions schemas/map.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"required": ["repositories", "mapping"],
"additionalProperties": false,
"properties": {
"repositories": {
"type": "object",
"items": {
"type": "object",
"patternProperties": {
".+": {
"type": "object",
"items": {
"type": "string",
"minimum": 1
}
}
}
}
},
"mapping": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"required": ["paths", "repositories", "threshold", "terminating"],
"properties": {
"paths": {
"type": "array",
"items": {
"type": "string",
"minLength": 1
}
},
"repositories": {
"type": "array",
"items": {
"type": "string",
"minLength": 1
}
},
"threshold": {
"type": "integer",
"minimum": 1
},
"terminating": {
"type": "boolean"
}
}
}
}
}
}

190 changes: 190 additions & 0 deletions schemas/root.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,190 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"required": ["signatures", "signed"],
"additionalProperties": false,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean no extra properties are allowed? I think this is incorrect not just here but (almost) everywhere in the spec: there are only two or three places where extra properties would make the content non-compliant.

"properties": {
"signatures": {
"type": "array",
"items": {
"type": "object",
"required": ["keyid", "sig"],
"additionalProperties": false,
"properties": {
"keyid": {
"type": "string",
"minLength": 64,
"maxLength": 64,
"pattern": "^[a-f0-9]{64}$"
},
"sig": {
"type": "string",
"minLength": 1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would allow any length here:

  • signatures with empty sigs is a pattern that's useful to accomodate merging signature changes during threshold signing (see sigstore root-signing for an example)
  • a signature with length 0 is no more pointless than length 1 for example

}
}
}
},
"signed": {
"type": "object",
"required": ["_type", "expires", "keys", "roles", "spec_version", "version"],
"additionalProperties": false,
"properties": {
"_type": {
"enum": ["root"]
},
"consistent_snapshot": {
"type": "boolean"
},
"expires": {
"type": "string",
"pattern": "^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z$"
},
"keys": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[0-9a-f]{64}$": {
"type": "object",
"required": ["keytype", "keyval", "scheme"],
"additionalProperties": true,
"properties": {
"keytype": {
"enum": ["rsa", "ed25519", "ecdsa-sha2-nistp256"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this mean only these three values are allowed? That seems incorrect

The correct way to handle the spec requirements seems to be:

  • allow any keys with keytype, scheme and keyval
  • if keytype in ["rsa", "ed25519", "ecdsa-sha2-nistp256"], then check that keyval contains a "public"

is the described check useful for anyone? not sure, but this is what the spec says if I read it correctly.

},
"keyval": {
"type": "object",
"required": ["public"],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mentioned this another comment: "public" is only required for the three defined keytypes, not for others

"additionalProperties": false,
"properties": {
"public": {
"type": "string",
"minLength": 1
}
}
},
"scheme": {
"enum": ["rsassa-pss-sha256", "ed25519", "ecdsa-sha2-nistp256"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this mean only these three values are allowed?

}
}
}
}
},
"roles": {
"type": "object",
"required": ["root", "snapshot", "targets", "timestamp"],
"additionalProperties": false,
"properties": {
"mirror": {
"type": "object",
"required": ["keyids", "threshold"],
"additionalProperties": false,
"properties": {
"keyids": {
"type": "array",
"items": {
"type": "string",
"minLength": 64,
"maxLength": 64,
"pattern": "^[a-f0-9]{64}$"
}
},
"threshold": {
"type": "number",
"minimum": 1
}
}
},
"root": {
"type": "object",
"required": ["keyids", "threshold"],
"additionalProperties": false,
"properties": {
"keyids": {
"type": "array",
"items": {
"type": "string",
"minLength": 64,
"maxLength": 64,
"pattern": "^[a-f0-9]{64}$"
}
},
"threshold": {
"type": "number",
"minimum": 1
}
}
},
"snapshot": {
"type": "object",
"required": ["keyids", "threshold"],
"additionalProperties": false,
"properties": {
"keyids": {
"type": "array",
"items": {
"type": "string",
"minLength": 64,
"maxLength": 64,
"pattern": "^[a-f0-9]{64}$"
}
},
"threshold": {
"type": "number",
"minimum": 1
}
}
},
"targets": {
"type": "object",
"required": ["keyids", "threshold"],
"additionalProperties": false,
"properties": {
"keyids": {
"type": "array",
"items": {
"type": "string",
"minLength": 64,
"maxLength": 64,
"pattern": "^[a-f0-9]{64}$"
}
},
"threshold": {
"type": "number",
"minimum": 1
}
}
},
"timestamp": {
"type": "object",
"required": ["keyids", "threshold"],
"additionalProperties": false,
"properties": {
"keyids": {
"type": "array",
"items": {
"type": "string",
"minLength": 64,
"maxLength": 64,
"pattern": "^[a-f0-9]{64}$"
}
},
"threshold": {
"type": "number",
"minimum": 1
}
}
}
}
},
"spec_version": {
"type": "string",
"pattern": "^[0-9]+\\.[0-9]+(\\.[0-9]+)?$"
},
"version": {
"type": "number",
"minimum": 1
}
}
}
}
}
93 changes: 93 additions & 0 deletions schemas/snapshot.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"additionalProperties": false,
"properties": {
"signatures": {
"type": "array",
"items": [
{
"type": "object",
"additionalProperties": false,
"properties": {
"keyid": {
"type": "string",
"minLength": 64,
"maxLength": 64,
"pattern": "^[a-f0-9]{64}$"
},
"sig": {
"type": "string",
"minLength": 1
}
},
"required": [
"keyid",
"sig"
]
}
]
},
"signed": {
"type": "object",
"additionalProperties": false,
"properties": {
"_type": {
"enum": ["snapshot"]
},
"expires": {
"type": "string",
"pattern": "^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z$"
},
"meta": {
"type": "object",
"additionalProperties": true,
"properties": {
"targets.json": {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would expect you could match all items in the object with patternproperties, not just the "targets.json" field ?

"type": "object",
"additionalProperties": false,
"properties": {
"version": {
"type": "integer",
"minimum": 1
},
"length": {
"type": "integer",
"minimum": 1
},
"hashes": {
"type": "object"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is defined in targets schema but not here

}
},
"required": [
"version"
]
}
},
"required": [
"targets.json"
]
},
"spec_version": {
"type": "string",
"pattern": "^[0-9]+\\.[0-9]+(\\.[0-9]+)?$"
},
"version": {
"type": "integer",
"minimum": 1
}
},
"required": [
"_type",
"expires",
"meta",
"spec_version",
"version"
]
}
},
"required": [
"signatures",
"signed"
]
}
Loading