From ae54c85b2240b7ee0cdcda252d8e8672c21c5896 Mon Sep 17 00:00:00 2001 From: marinamoore Date: Tue, 28 Jul 2020 12:25:32 -0700 Subject: [PATCH] Each key applies to signature threshold once This commit ensures that each key will only count toward the signature threshold once, even if the keys have different keyids. Signed-off-by: marinamoore --- tests/test_sig.py | 4 ++-- tuf/sig.py | 10 +++++++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/tests/test_sig.py b/tests/test_sig.py index 10a189d363..1876c44a45 100755 --- a/tests/test_sig.py +++ b/tests/test_sig.py @@ -436,9 +436,9 @@ def test_verify_count_different_keyids_for_same_key_towards_threshold(self): tuf.keydb.add_key(key_sha256) tuf.keydb.add_key(key_sha512) - # Assert that both keys count towards threshold although its the same key + # Assert that the key only counts toward the threshold once keyids = [key_sha256["keyid"], key_sha512["keyid"]] - self.assertTrue( + self.assertFalse( tuf.sig.verify(signable, "root", keyids=keyids, threshold=2)) # Clean-up keydb diff --git a/tuf/sig.py b/tuf/sig.py index f32a947406..2494765bf2 100755 --- a/tuf/sig.py +++ b/tuf/sig.py @@ -245,8 +245,7 @@ def verify(signable, role, repository_name='default', threshold=None, NOTE: - Signatures with identical authorized keyids only count towards the threshold once. - - Signatures with different authorized keyids each count towards the - threshold, even if the keyids identify the same key. + - Signatures with the same key only count toward the threshold once. signable: @@ -307,7 +306,12 @@ def verify(signable, role, repository_name='default', threshold=None, if threshold is None or threshold <= 0: #pragma: no cover raise securesystemslib.exceptions.Error("Invalid threshold: " + repr(threshold)) - return len(set(good_sigs)) >= threshold + unique_keys = set() + for keyid in good_sigs: + key = tuf.keydb.get_key(keyid, repository_name) + unique_keys.add(key['keyval']['public']) + + return len(unique_keys) >= threshold