Skip to content

Fix: improve tuf spec conformance and match functionality to tuf-js implementation #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Nov 29, 2025
Merged

Fix: improve tuf spec conformance and match functionality to tuf-js implementation #13

merged 6 commits into from
Nov 29, 2025
+95 −60

Conversation

@sachaservan
Copy link
Collaborator

@sachaservan sachaservan commented Nov 28, 2025

  • add length verification for metadata files (snapshot, targets) and target files per TUF spec 5.5.2/5.6.2
  • verify all provided hash algorithms, not just sha256 (fixes an open TODO)
  • validate signature threshold >= 1 to match tuf-js verifications in Role
  • validate required top-level roles exist (root, timestamp, snapshot, targets) to match verifications in tuf-js Role
  • Document keyid verification deviation that matches tuf-js behavior

@sachaservan
docs: explain deviation from spec and why it matches tuf-js
062439b
@sachaservan
fix: add length verification for snapshot and targets metadata
0617900
@sachaservan
fix: add length verification for target files
0632e0a
@sachaservan
fix: resolve todo and verify all hash types
692448d
@sachaservan
fix: validate signature threshold to match tuf-js
55890bd 
Add validation in checkSignatures to reject threshold < 1, matching
tuf-js behavior in Role constructor.
@sachaservan
fix: validate top-level roles and duplicate keyids to match tuf-js
57cf81a 
Add validation in loadRoot to:
- Ensure all required top-level roles exist (root, timestamp, snapshot, targets)
- Reject roles with duplicate keyids

Matches tuf-js validation in Root constructor and Role constructor.
@sachaservan sachaservan requested a review from lsd-cat November 28, 2025 16:20
@lsd-cat lsd-cat merged commit 0f2c18a into main Nov 29, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lsd-cat lsd-cat lsd-cat approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sachaservan @lsd-cat