-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conflicting signature keyid uniqueness requirements #308
Comments
was this meant for the spec repo? I think what happened was that the first quote and the second quote were worked on at the same time in separate PRs... Seconds one was just merged two years later. |
Oops. Yes. Sorry. Let me transfer.
I think so too. Still seems worthy to fix. |
What do you think the best resolution is?
…On Mon, Aug 19, 2024 at 5:58 AM Lukas Pühringer ***@***.***> wrote:
This paragraph from the metadata format section
<https://github.com/theupdateframework/specification/blob/258ad50dd7fdb77e77e651b186a3468d4039ccdb/tuf-spec.md#L543-L544>
...
The keyid MUST be unique in the "signatures" array: multiple
signatures with the same keyid are not allowed.
... seems to conflict with these paragraphs from the metadata format
section
<https://github.com/theupdateframework/specification/blob/258ad50dd7fdb77e77e651b186a3468d4039ccdb/tuf-spec.md#L550-L551>
...
Note: The "signatures" list SHOULD only contain one SIGNATURE per
KEYID. This helps prevent multiple signatures by the same key
... and the client workflow section
<https://github.com/theupdateframework/specification/blob/258ad50dd7fdb77e77e651b186a3468d4039ccdb/tuf-spec.md#L1337-L1339>
...
Even if a KEYID is listed more than once in the
"signatures" list a client MUST NOT count more than one verified
SIGNATURE from that KEYID towards the THRESHOLD.
—
Reply to this email directly, view it on GitHub
<#308>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGROD77PRRLJWOCCKPVZ7LZSG6S7AVCNFSM6AAAAABMXPQPNSVHI2DSMVQWIX3LMV43ASLTON2WKOZSGQ3TEOJVGI4DGMI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
This paragraph from the metadata format section ...
... seems to conflict with these paragraphs from the metadata format section ...
... and the client workflow section ...
The text was updated successfully, but these errors were encountered: