diff --git a/tests/test_repository_lib.py b/tests/test_repository_lib.py index aecefb11..e754d70e 100755 --- a/tests/test_repository_lib.py +++ b/tests/test_repository_lib.py @@ -649,13 +649,25 @@ def test_sign_metadata(self): root_private_key = \ repo_lib.import_rsa_privatekey_from_file(root_private_keypath, 'password') + # Sign with a valid, but not a threshold, key. + targets_private_keypath = os.path.join(keystore_path, 'targets_key') + targets_private_key = \ + repo_lib.import_rsa_privatekey_from_file(targets_private_keypath, + 'password') + # sign_metadata() expects the private key 'root_metadata' to be in # 'tuf.keydb'. Remove any public keys that may be loaded before # adding private key, otherwise a 'tuf.KeyAlreadyExists' exception is # raised. tuf.keydb.remove_key(root_private_key['keyid']) tuf.keydb.add_key(root_private_key) - + tuf.keydb.remove_key(targets_private_key['keyid']) + tuf.keydb.add_key(targets_private_key) + + root_keyids.extend(tuf.roledb.get_role_keyids('targets')) + # Add the snapshot's public key (to test whether non-private keys are + # ignored by sign_metadata()). + root_keyids.extend(tuf.roledb.get_role_keyids('snapshot')) root_signable = repo_lib.sign_metadata(root_metadata, root_keyids, root_filename) self.assertTrue(tuf.formats.SIGNABLE_SCHEMA.matches(root_signable)) @@ -669,7 +681,7 @@ def test_sign_metadata(self): self.assertRaises(tuf.FormatError, repo_lib.sign_metadata, root_metadata, root_keyids, 3) - # Test + # Test for a key that does not contain the private portion. diff --git a/tuf/repository_lib.py b/tuf/repository_lib.py index ccf17122..5ee92038 100755 --- a/tuf/repository_lib.py +++ b/tuf/repository_lib.py @@ -1795,11 +1795,14 @@ def sign_metadata(metadata_object, keyids, filename): for signature in signable['signatures']: if not keyid == signature['keyid']: signatures.append(signature) + + else: + continue signable['signatures'] = signatures # Generate the signature using the appropriate signing method. if key['keytype'] in SUPPORTED_KEY_TYPES: - if len(key['keyval']['private']): + if 'private' in key['keyval']: signed = signable['signed'] signature = tuf.keys.create_signature(key, signed) signable['signatures'].append(signature)