Encountering a problem when attempting to operate TUF in high-availability mode.

[VikramPunnam]

I've installed the scaffold helm chart version 0.6.34 on the private EKS cluster and enabled high availability (e.g., 2 replicas) for all Sigstore components.
TUF Version: v0.6.9

However, when attempting to initialize cosign locally with the TUF server endpoint, I encounter the following error. It works well with a single replica, but not with multiple replicas.

Error Log:
I have no name!@88ee01017644:/cosign-keys$ cosign initialize --root https://dev-tuf.xxxx.local/root.json --mirror https://dev-tuf.xxxx.local
Error: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download snapshot.json: wrong sha512 hash, expected ca750294e29cf4be22f1107e2b242dc02f1ee67331f6307c72a3c791229e4521c1afc070d312a1fc961ad82a517ea70c86b4cbb5fd640fe66fc78f36f0f28ecb got 10e3ca2fc51ac0a7bf44488b320595cef4e7231955b6dc67ea229229acad22c7cf4f46cdec3856d4f5891e7df48550cc65dd309664faf8db052a32bf81ec78ea
remote status:{
"mirror": "https://dev-tuf.xxxx.local",
"metadata": {
"root.json": {
"version": 1,
"len": 2178,
"expiration": "08 Jun 24 11:52 UTC",
"error": ""
},
"snapshot.json": {
"version": 1,
"len": 617,
"expiration": "08 Jun 24 11:52 UTC",
"error": ""
},
"targets.json": {
"version": 1,
"len": 716,
"expiration": "08 Jun 24 11:51 UTC",
"error": ""
},
"timestamp.json": {
"version": 1,
"len": 619,
"expiration": "08 Jun 24 11:51 UTC",
"error": ""
}
}
}
main.go:74: error during command execution: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download snapshot.json: wrong sha512 hash, expected ca750294e29cf4be22f1107e2b242dc02f1ee67331f6307c72a3c791229e4521c1afc070d312a1fc961ad82a517ea70c86b4cbb5fd640fe66fc78f36f0f28ecb got 10e3ca2fc51ac0a7bf44488b320595cef4e7231955b6dc67ea229229acad22c7cf4f46cdec3856d4f5891e7df48550cc65dd309664faf8db052a32bf81ec78ea
remote status:{
"mirror": "https://dev-tuf.xxxx.local",
"metadata": {
"root.json": {
"version": 1,
"len": 2178,
"expiration": "08 Jun 24 11:52 UTC",
"error": ""
},
"snapshot.json": {
"version": 1,
"len": 617,
"expiration": "08 Jun 24 11:52 UTC",
"error": ""
},
"targets.json": {
"version": 1,
"len": 716,
"expiration": "08 Jun 24 11:51 UTC",
"error": ""
},
"timestamp.json": {
"version": 1,
"len": 619,
"expiration": "08 Jun 24 11:51 UTC",
"error": ""
}
}
}

Please help to resolve the above issue.

[VikramPunnam]

Hi,

Can anyone please suggest on the above issue?

[vipulagarwal]

The current implementation of tuf-server in scaffolding does not support multiple replicas.

It would be great to have this feature though. When running private Sigstore, it would be easy to just fetch the TUF root from the tuf-server using the --root <url> rather than managing the offline copy of the TUF root. Highly available tuf-server will definitely help in such implementation.

Please correct me if this is the wrong/insecure approach.