x/mod/sumdb/note: documentation for key formats is incomplete #56358
Labels
Documentation
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Comments
seankhliao
changed the title
seankhliao
added
the
NeedsInvestigation
|
I also found the docs hard to follow. https://go.dev/ref/mod#checksum-database doesn't mention the hash part. If it helps anyone else, starting from go/src/cmd/go/internal/modfetch/key.go Lines 7 to 9 in 2e792a8 Split on separator PKIX marshalled and PEM encoded: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The sumdb note documentation for key formats is incomplete. https://pkg.go.dev/golang.org/x/mod@v0.6.0/sumdb/note
The documentation states that
The standard implementation of a Verifier is constructed by NewVerifier starting from a verifier key, which is a plain text string of the form "<name>+<hash>+<keydata>".It appears that the hash is in hexadecimal, while the keydata is base64-encoded. I cannot find a description of this anywhere in the documentation. The documentation does say that the key hash is an unsigned 32 bit integer.
Also, the keydata is one byte of key type followed by the actual bytes of the key. The documentation does say this:
There is only one key type, Ed25519 with algorithm identifier 1. New key types may be introduced in the future as needed, although doing so will require deploying the new algorithms to all clients before starting to depend on them for signatures.. I don't see anywhere in the documentation that says that this algorithm identifier is the first byte of the keydata.Having this fully documented is useful when you have signatures produced in the sumdb note and key format, and you want to verify those signatures using a program written in another language.
The text was updated successfully, but these errors were encountered: