search

theupdateframework / specification

The Update Framework specification
https://theupdateframework.github.io/specification/
Other
374 stars 54 forks source link

Conflicting signature keyid uniqueness requirements #308

Open lukpueh opened 3 months ago

lukpueh commented 3 months ago

This paragraph from the metadata format section ...

The keyid MUST be unique in the "signatures" array: multiple signatures with the same keyid are not allowed.

... seems to conflict with these paragraphs from the metadata format section ...

Note: The "signatures" list SHOULD only contain one SIGNATURE per KEYID. This helps prevent multiple signatures by the same key

... and the client workflow section ...

Even if a KEYID is listed more than once in the "signatures" list a client MUST NOT count more than one verified SIGNATURE from that KEYID towards the THRESHOLD.

jku commented 3 months ago

was this meant for the spec repo?

I think what happened was that the first quote and the second quote were worked on at the same time in separate PRs... Seconds one was just merged two years later.

lukpueh commented 3 months ago

was this meant for the spec repo?

Oops. Yes. Sorry. Let me transfer.

I think what happened was that the first quote and the second quote were worked on at the same time in separate PRs... Seconds one was just merged two years later.

I think so too. Still seems worthy to fix.

JustinCappos commented 3 months ago

What do you think the best resolution is?

On Mon, Aug 19, 2024 at 5:58 AM Lukas Pühringer @.***> wrote:

This paragraph from the metadata format section https://github.com/theupdateframework/specification/blob/258ad50dd7fdb77e77e651b186a3468d4039ccdb/tuf-spec.md#L543-L544 ...

The keyid MUST be unique in the "signatures" array: multiple signatures with the same keyid are not allowed.

... seems to conflict with these paragraphs from the metadata format section https://github.com/theupdateframework/specification/blob/258ad50dd7fdb77e77e651b186a3468d4039ccdb/tuf-spec.md#L550-L551 ...

Note: The "signatures" list SHOULD only contain one SIGNATURE per KEYID. This helps prevent multiple signatures by the same key

... and the client workflow section https://github.com/theupdateframework/specification/blob/258ad50dd7fdb77e77e651b186a3468d4039ccdb/tuf-spec.md#L1337-L1339 ...

Even if a KEYID is listed more than once in the "signatures" list a client MUST NOT count more than one verified SIGNATURE from that KEYID towards the THRESHOLD.

— Reply to this email directly, view it on GitHub https://github.com/theupdateframework/specification/issues/308, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGROD77PRRLJWOCCKPVZ7LZSG6S7AVCNFSM6AAAAABMXPQPNSVHI2DSMVQWIX3LMV43ASLTON2WKOZSGQ3TEOJVGI4DGMI . You are receiving this because you are subscribed to this thread.Message ID: @.***>