sigstore · haydentherapper · Mar 1, 2024 · Mar 1, 2024
diff --git a/cmd/tuf/app/add-delegation.go b/cmd/tuf/app/add-delegation.go
@@ -140,9 +140,7 @@ func DelegationCmd(ctx context.Context, opts *DelegationOptions) error {
 		if err != nil {
 			return err
 		}
-		// When adding the delegation we don't need to carry over the
-		// older deprecated format.
-		tufKey, err := pkeys.ConstructTufKeyFromPublic(ctx, publicKey, false)
+		tufKey, err := pkeys.ConstructTufKeyFromPublic(ctx, publicKey)
 		if err != nil {
 			return err
 		}

diff --git a/cmd/tuf/app/init.go b/cmd/tuf/app/init.go
@@ -180,8 +180,7 @@ func InitCmd(ctx context.Context, directory string,
 		}
 
 		// Construct TUF key.
-		// Only create keys using the current key type
-		tufKey, err := pkeys.ConstructTufKey(ctx, signer, false)
+		tufKey, err := pkeys.ConstructTufKey(ctx, signer)
 		if err != nil {
 			return err
 		}
@@ -342,8 +341,7 @@ func getKeysFromDir(dir string) ([]*data.PublicKey, error) {
 			if err != nil {
 				return nil, err
 			}
-			// Only add keys with the new format
-			tufKey, err := pkeys.EcdsaTufKey(key.PublicKey, false)
+			tufKey, err := pkeys.EcdsaTufKey(key.PublicKey)
 			if err != nil {
 				return nil, err
 			}

diff --git a/cmd/tuf/app/sign.go b/cmd/tuf/app/sign.go
@@ -54,7 +54,6 @@ func Sign() *ffcli.Command {
 		sk          = flagset.Bool("sk", false, "indicates use of a hardware key for signing")
 		key         = flagset.String("key", "", "reference to a signer for signing")
 		bumpVersion = flagset.Bool("bump-version", false, "bumps the version; useful for re-signing without changes")
-		addOldType  = flagset.Bool("add-old-type", false, "Add a signature using the old key type")
 	)
 	flagset.Var(&roles, "roles", "role(s) to sign")
 	return &ffcli.Command{
@@ -81,7 +80,7 @@ func Sign() *ffcli.Command {
 			if err != nil {
 				return err
 			}
-			return SignCmd(ctx, *repository, roles, signer, *bumpVersion, *addOldType)
+			return SignCmd(ctx, *repository, roles, signer, *bumpVersion)
 		},
 	}
 }
@@ -122,8 +121,8 @@ func checkMetaForRole(store tuf.LocalStore, role []string) error {
 	return nil
 }
 
-func SignCmd(ctx context.Context, directory string, roles []string,
-	signer signature.Signer, bumpVersion, addOldType bool) error {
+func SignCmd(ctx context.Context, directory string, roles []string, signer signature.Signer,
+	bumpVersion bool) error {
 	store := tuf.FileSystemStore(directory, nil)
 
 	if err := checkMetaForRole(store, roles); err != nil {
@@ -136,7 +135,7 @@ func SignCmd(ctx context.Context, directory string, roles []string,
 				return err
 			}
 		}
-		if err := SignMeta(ctx, store, name+".json", signer, addOldType); err != nil {
+		if err := SignMeta(ctx, store, name+".json", signer); err != nil {
 			return err
 		}
 	}
@@ -149,8 +148,7 @@ func SignCmd(ctx context.Context, directory string, roles []string,
 // Note that if you were using old format exclusively (for testing), then this will
 // have no impact on repository validity: extraneous key IDs for the role that are
 // not attested to in the trusted root or parent delegation will be ignored.
-func SignMeta(ctx context.Context, store tuf.LocalStore, name string,
-	signer signature.Signer, addOldType bool) error {
+func SignMeta(ctx context.Context, store tuf.LocalStore, name string, signer signature.Signer) error {
 	fmt.Printf("Signing metadata for %s... \n", name)
 	s, err := repo.GetSignedMeta(store, name)
 	if err != nil {
@@ -178,20 +176,10 @@ func SignMeta(ctx context.Context, store tuf.LocalStore, name string,
 	}
 
 	// Get TUF public IDs associated to the signer.
-	pubKey, err := keys.ConstructTufKey(ctx, signer, false)
-	var candidateKeyIDs []string
+	pubKey, err := keys.ConstructTufKey(ctx, signer)
 	if err != nil {
 		return err
 	}
-	candidateKeyIDs = append(candidateKeyIDs, pubKey.IDs()...)
-
-	if addOldType {
-		oldKey, err := keys.ConstructTufKey(ctx, signer, true)
-		if err != nil {
-			return err
-		}
-		candidateKeyIDs = append(candidateKeyIDs, oldKey.IDs()...)
-	}
 
 	role := strings.TrimSuffix(name, ".json")
 	roleSigningKeys, err := repo.GetSigningKeyIDsForRole(role, store)
@@ -201,7 +189,7 @@ func SignMeta(ctx context.Context, store tuf.LocalStore, name string,
 
 	// Filter key IDs with the role signing key map.
 	var keyIDs []string
-	for _, id := range candidateKeyIDs {
+	for _, id := range pubKey.IDs() {
 		// We check to make sure that the key ID is associated with the role's keys.
 		if _, ok := roleSigningKeys[id]; !ok {
 			continue

diff --git a/cmd/verify/app/keys.go b/cmd/verify/app/keys.go
@@ -71,23 +71,18 @@ func verifySigningKeys(dirname string, rootCA *x509.Certificate) (*KeyMap, error
 				log.Printf("error verifying key %d: %s", key.SerialNumber, err)
 				return nil, err
 			}
-
-			for _, bv := range []bool{true, false} {
-				tufKey, err := keys.EcdsaTufKey(key.PublicKey, bv)
-				if err != nil {
-					return nil, err
-				}
-				if len(tufKey.IDs()) == 0 {
-					return nil, errors.New("error getting key ID")
-				}
-				keyMap[tufKey.IDs()[0]] = key
+			tufKey, err := keys.EcdsaTufKey(key.PublicKey)
+			if err != nil {
+				return nil, err
 			}
+			if len(tufKey.IDs()) == 0 {
+				return nil, errors.New("error getting key ID")
+			}
+			keyMap[tufKey.IDs()[0]] = key
 
 			log.Printf("\nVERIFIED KEY WITH SERIAL NUMBER %d\n", key.SerialNumber)
 			log.Printf("TUF key ids: \n")
-			for kid := range keyMap {
-				log.Printf("\t%s ", kid)
-			}
+			log.Printf("\t%s ", tufKey.IDs()[0])
 		}
 	}
 	// Note we use relative path here to simplify things.

diff --git a/pkg/keys/keys.go b/pkg/keys/keys.go
@@ -95,23 +95,15 @@ func ToSigningKey(serialNumber int, pubKey []byte, deviceCert []byte, keyCert []
 }
 
 // EcdsaTufKey returns a PEM-encoded TUF public key for an ecdsa key.
-func EcdsaTufKey(pub *ecdsa.PublicKey, deprecatedType bool) (*data.PublicKey, error) {
+func EcdsaTufKey(pub *ecdsa.PublicKey) (*data.PublicKey, error) {
 	keyValBytes, err := json.Marshal(keys.EcdsaVerifier{
 		PublicKey: &keys.PKIXPublicKey{PublicKey: pub}})
 	if err != nil {
 		return nil, err
 	}
-
-	var keyType data.KeyType
-	if deprecatedType {
-		keyType = data.KeyTypeECDSA_SHA2_P256_OLD_FMT
-	} else {
-		keyType = data.KeyTypeECDSA_SHA2_P256
-	}
-
 	return &data.PublicKey{
 		// TODO: Update to new format for next key signing
-		Type:       keyType,
+		Type:       data.KeyTypeECDSA_SHA2_P256_OLD_FMT,
 		Scheme:     data.KeySchemeECDSA_SHA2_P256,
 		Algorithms: data.HashAlgorithms,
 		Value:      keyValBytes,
@@ -206,19 +198,19 @@ func (key SigningKey) Verify(root *x509.Certificate) error {
 }
 
 // ConstructTufKey constructs a TUF public key from a given signer.
-func ConstructTufKey(ctx context.Context, signer signature.Signer, deprecated bool) (*data.PublicKey, error) {
+func ConstructTufKey(ctx context.Context, signer signature.Signer) (*data.PublicKey, error) {
 	pub, err := signer.PublicKey(options.WithContext(ctx))
 	if err != nil {
 		return nil, err
 	}
-	return ConstructTufKeyFromPublic(ctx, pub, deprecated)
+	return ConstructTufKeyFromPublic(ctx, pub)
 }
 
 // ConstructTufKey constructs a TUF public key from a public key
-func ConstructTufKeyFromPublic(_ context.Context, pubKey crypto.PublicKey, deprecated bool) (*data.PublicKey, error) {
+func ConstructTufKeyFromPublic(_ context.Context, pubKey crypto.PublicKey) (*data.PublicKey, error) {
 	switch kt := pubKey.(type) {
 	case *ecdsa.PublicKey:
-		return EcdsaTufKey(kt, deprecated)
+		return EcdsaTufKey(kt)
 	default:
 		return nil, fmt.Errorf("ConstructTufKeyFromPublic: key type %s not supported", kt)
 	}

diff --git a/pkg/keys/keys_test.go b/pkg/keys/keys_test.go
@@ -160,7 +160,7 @@ func TestToSigningKey(t *testing.T) {
 				t.Errorf("unexpected error generating signing key (%s): %s", tt.name, err)
 			}
 			if tt.expectSuccess {
-				pemPubKey, err := EcdsaTufKey(key.PublicKey, true)
+				pemPubKey, err := EcdsaTufKey(key.PublicKey)
 				if err != nil {
 					t.Errorf("unexpected error generating PEM TUF public key: %s", err)
 				}
@@ -184,7 +184,7 @@ func TestGetSigningKey(t *testing.T) {
 	}
 
 	t.Run("valid signing key with PEM", func(t *testing.T) {
-		signingKeyPem, err := ConstructTufKey(ctx, signingKey, true)
+		signingKeyPem, err := ConstructTufKey(ctx, signingKey)
 		if err != nil {
 			t.Fatal(err)
 		}

diff --git a/scripts/step-2.sh b/scripts/step-2.sh
@@ -38,7 +38,7 @@ checkout_branch
 read -n1 -r -s -p "Insert your Yubikey, then press any key to continue...\n"
 
 # Sign the root and targets with hardware key
-./tuf sign -repository "$REPO" -roles root -roles targets -sk -add-old-type true
+./tuf sign -repository "$REPO" -roles root -roles targets -sk
 
 # Ask user to remove key (and replace with SSH security key)
 read -n1 -r -s -p "Remove your Yubikey, then press any key to continue...\n"