Parsing unsigned corim payloads with missing tags is broken #252
Description
Introduced in #187 in order to conform with the specification, existing CoRIM's published by vendors cannot be parsed anymore by cocli or the corim package because these CoRIM's were created (or accepted) using an earlier version of cocli which did not require the unsigned payload to be tagged.
For example, parsing CoRIM's published on Solidigm's download page:
% cocli corim display -f PS10xx-G70YG100-U2-16TB.cbor
Error: error decoding CoRIM (signed or unsigned) from corim/manifests/solidigm/PS10xx-G70YG100-U2-16TB.cbor: did not see unsigned CoRIM tag
Similar issues affect the CoRIM's published by Nvidia via their RIM API service which also fail:
% cocli corim display -f corim/manifests/nvidia/NV_NIC_FIRMWARE_CX7_28.39.4082-LTS_MCX713104AC-ADA.cbor
Error: error decoding CoRIM (signed or unsigned) from corim/manifests/nvidia/NV_NIC_FIRMWARE_CX7_28.39.4082-LTS_MCX713104AC-ADA.cbor: did not see unsigned CoRIM tag
Is the expectation here that vendors will need to recreate and republish these CoRIM's and/or version them in order to maintain current with the draft specifications? This breaking change introduces quite a few challenges for those of us writing verifiers, and looking for advice.
edit: I understand in previous versions we had to strip the leading IANA tags (also documented by Nvidia), however this was only for the outer signed corim (not the inner unsigned corim payload).