mirror of
https://github.com/theupdateframework/python-tuf
synced 2026-05-24 10:08:28 +00:00
client: new root sigs only counted once per keyid
When verifying newly downloaded root metadata with the keys listed in the root metadata being verified, multiple signatures with the same keyid should not be counted towards the threshold. A keyid should only count once towards the threshold. This fixes the _verify_root_self_signed() method introduced in PR #1101 to ensure that keyids are only counted once when verifying a threshold of new root signatures. Signed-off-by: Joshua Lock <jlock@vmware.com>
This commit is contained in:
parent
71cb00478e
commit
83ac7be525
1 changed files with 3 additions and 3 deletions
|
|
@ -1385,7 +1385,7 @@ def _verify_root_self_signed(self, signable):
|
|||
signatures = signable['signatures']
|
||||
signed = securesystemslib.formats.encode_canonical(
|
||||
signable['signed']).encode('utf-8')
|
||||
validated = 0
|
||||
verified_sig_keyids = set()
|
||||
|
||||
for signature in signatures:
|
||||
keyid = signature['keyid']
|
||||
|
|
@ -1403,9 +1403,9 @@ def _verify_root_self_signed(self, signable):
|
|||
valid_sig = securesystemslib.keys.verify_signature(key, signature, signed)
|
||||
|
||||
if valid_sig:
|
||||
validated = validated + 1
|
||||
verified_sig_keyids.add(keyid)
|
||||
|
||||
if validated >= threshold:
|
||||
if len(verified_sig_keyids) >= threshold:
|
||||
return True
|
||||
return False
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue