Impact
The layout file contains an expiration date that is intended to prevent attackers (to a certain extent) from replaying older versions that might contain security vulnerabilities to users. Nevertheless, it might be possible for attackers to block the roll-out of a certain version and perform replays during the expiration period.
"signed":
{
"_type": "layout",
"expires": "2023-03-10T10:02:43Z"
}Patches
Workarounds
X41 recommends to add a version number or counter into the layout that ensures that users can verify whether they are missing an in-between version. Additionally, users are able to use the version number to detect layout replay.
However, in-toto considers replay and other attacks that can affect selection of layout to use for verification as out of scope. Instead, frameworks like TUF should be used to correctly associate the right versions of in-toto metadata with the artifacts being verified. For more information about using in-toto and TUF together, see ITEs 2 and 3.
References
Impact
The layout file contains an expiration date that is intended to prevent attackers (to a certain extent) from replaying older versions that might contain security vulnerabilities to users. Nevertheless, it might be possible for attackers to block the roll-out of a certain version and perform replays during the expiration period.
Patches
Workarounds
X41 recommends to add a version number or counter into the layout that ensures that users can verify whether they are missing an in-between version. Additionally, users are able to use the version number to detect layout replay.
However, in-toto considers replay and other attacks that can affect selection of layout to use for verification as out of scope. Instead, frameworks like TUF should be used to correctly associate the right versions of in-toto metadata with the artifacts being verified. For more information about using in-toto and TUF together, see ITEs 2 and 3.
References