Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove the optional "kid" parameter #1511

Conversation

lubosmj
Copy link
Member

@lubosmj lubosmj commented Feb 14, 2024

This removes the key identifier stored in the JWK's header in the manifest v2 schema 1 signatures' payload.

The "kid" parameter is optional in JWK. This parameter might be also considered irrelevant because the key pair for ECDSA is generated each time the conversion from schema 2 to schema 1 happens. So, clients cannot verify the origin of the signature with the fingerprint/kid because the public key is created on the fly and then immediately trashed.

Ref: https://www.rfc-editor.org/rfc/rfc7517#section-4.5
Ref: https://docker-docs.uclv.cu/registry/spec/manifest-v2-1/

closes #1485

(cherry picked from commit 59e06e5)

This removes the key identifier stored in the JWK's header in the
manifest v2 schema 1 signatures' payload.

The "kid" parameter is optional in JWK. This parameter might be also
considered irrelevant because the key pair for ECDSA is generated each
time the conversion from schema 2 to schema 1 happens. So, clients
cannot verify the origin of the signature with the fingerprint/kid
because the public key is created on the fly and then immediately trashed.

Ref: https://www.rfc-editor.org/rfc/rfc7517#section-4.5
Ref: https://docker-docs.uclv.cu/registry/spec/manifest-v2-1/

closes pulp#1485

(cherry picked from commit 59e06e5)
@lubosmj lubosmj merged commit 2661865 into pulp:2.15 Feb 15, 2024
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants