specification icon indicating copy to clipboard operation
specification copied to clipboard
verified publisher icon theupdateframework

Conflicting signature keyid uniqueness requirements

Open lukpueh opened this issue 1 year ago • 3 comments

This paragraph from the metadata format section ...

The keyid MUST be unique in the "signatures" array: multiple signatures with the same keyid are not allowed.

... seems to conflict with these paragraphs from the metadata format section ...

Note: The "signatures" list SHOULD only contain one SIGNATURE per KEYID. This helps prevent multiple signatures by the same key

... and the client workflow section ...

Even if a KEYID is listed more than once in the "signatures" list a client MUST NOT count more than one verified SIGNATURE from that KEYID towards the THRESHOLD.

lukpueh avatar Aug 19 '24 08:08 lukpueh

was this meant for the spec repo?

I think what happened was that the first quote and the second quote were worked on at the same time in separate PRs... Seconds one was just merged two years later.

jku avatar Aug 19 '24 08:08 jku

was this meant for the spec repo?

Oops. Yes. Sorry. Let me transfer.

I think what happened was that the first quote and the second quote were worked on at the same time in separate PRs... Seconds one was just merged two years later.

I think so too. Still seems worthy to fix.

lukpueh avatar Aug 19 '24 09:08 lukpueh

What do you think the best resolution is?

On Mon, Aug 19, 2024 at 5:58 AM Lukas Pühringer @.***> wrote:

This paragraph from the metadata format section https://github.com/theupdateframework/specification/blob/258ad50dd7fdb77e77e651b186a3468d4039ccdb/tuf-spec.md#L543-L544 ...

The keyid MUST be unique in the "signatures" array: multiple signatures with the same keyid are not allowed.

... seems to conflict with these paragraphs from the metadata format section https://github.com/theupdateframework/specification/blob/258ad50dd7fdb77e77e651b186a3468d4039ccdb/tuf-spec.md#L550-L551 ...

Note: The "signatures" list SHOULD only contain one SIGNATURE per KEYID. This helps prevent multiple signatures by the same key

... and the client workflow section https://github.com/theupdateframework/specification/blob/258ad50dd7fdb77e77e651b186a3468d4039ccdb/tuf-spec.md#L1337-L1339 ...

Even if a KEYID is listed more than once in the "signatures" list a client MUST NOT count more than one verified SIGNATURE from that KEYID towards the THRESHOLD.

— Reply to this email directly, view it on GitHub https://github.com/theupdateframework/specification/issues/308, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGROD77PRRLJWOCCKPVZ7LZSG6S7AVCNFSM6AAAAABMXPQPNSVHI2DSMVQWIX3LMV43ASLTON2WKOZSGQ3TEOJVGI4DGMI . You are receiving this because you are subscribed to this thread.Message ID: @.***>

JustinCappos avatar Aug 31 '24 22:08 JustinCappos