-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client accepts expires values in non-UTC timezones #136
Comments
First thanks so much for taking a deeper look! Two comments (2) The go client does not verify this, if this is a specification that requires this, I think it should be enforced in the client validating the metadata (validating the metadata and retrieving targets via the client never caught this!) |
Ah, my mistake – I didn't dig deep enough and assumed it was a go-tuf issue. Thanks for the swift comment. I've filed an issue against sigstore/root-signing here sigstore/root-signing#27 and updated the description here to highlight that this is not a bug in go-tuf metadata creation.
I've updated description above to suggest this too. go-tuf maintainers, feel free to close this WONTFIX if you are not interested in validating the date-time format in the client. |
another related issue is including microseconds -- my reading is that they are not allowed as the format string is specified:
I don't think there is a security issue in supporting/accepting msecs in a client, but it should be difficult to create metadata with msecs. |
Note: description edited to clarify that this is not a go-tuf metadata generation issue.
While looking at the metadata generated for the sigstore root of trust I noticed that the expires entries in the metadata encodes a non-UTC timezone:
(from 1.root.json)
Whereas the the specification suggests time should always be in UTC:
@asraa pointed out below that the expires field is not set by go-tuf, so the issue here (if any) is that the client does not verify that the date-time in the expires field is in UTC.
The text was updated successfully, but these errors were encountered: