Add comment to affected modules...

explaining why locally generated keyids use the hashing algorithms specified in metadata's 'keyid_hash_algorithms' field. Signed-off-by: Vladimir Diaz <vladimir.v.diaz@gmail.com>
2026-05-24 10:08:28 +00:00 · 2018-04-12 11:43:03 -04:00 · 2018-04-12 11:43:03 -04:00 · 903ff0a280
commit 903ff0a280
parent 55d368d9d4
4 changed files with 14 additions and 0 deletions
--- a/tuf/client/updater.py
+++ b/tuf/client/updater.py
@ -954,6 +954,9 @@ def _import_delegations(self, parent_role):
        # for the key.
        try:

+          # The repo may have used hashing algorithms for the generated keyids
+          # that doesn't match the client's set of hash algorithms.  Make sure
+          # to only used the repo's selected hashing algorithms.
          hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
          securesystemslib.settings.HASH_ALGORITHMS = keyinfo['keyid_hash_algorithms']
          key, keyids = securesystemslib.keys.format_metadata_to_key(keyinfo)
--- a/tuf/keydb.py
+++ b/tuf/keydb.py
@ -123,6 +123,9 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'):
      # default keyid listed in 'key_dict'.  The additional keyids are
      # generated according to securesystemslib.settings.HASH_ALGORITHMS.

+      # The repo may have used hashing algorithms for the generated keyids that
+      # doesn't match the client's set of hash algorithms.  Make sure to only
+      # used the repo's selected hashing algorithms.
      hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
      securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms']
      key_dict, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata)
--- a/tuf/repository_lib.py
+++ b/tuf/repository_lib.py
@ -685,6 +685,10 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name):

    # Add the keys specified in the delegations field of the Targets role.
    for key_metadata in six.itervalues(targets_metadata['delegations']['keys']):
+
+      # The repo may have used hashing algorithms for the generated keyids
+      # that doesn't match the client's set of hash algorithms.  Make sure
+      # to only used the repo's selected hashing algorithms.
      hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
      securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms']
      key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata)
--- a/tuf/repository_tool.py
+++ b/tuf/repository_tool.py
@ -3024,6 +3024,10 @@ def load_repository(repository_directory, repository_name='default'):
    # The repository maintainer should have also been made aware of the
    # duplicate key when it was added.
    for key_metadata in six.itervalues(metadata_object['delegations']['keys']):
+
+      # The repo may have used hashing algorithms for the generated keyids
+      # that doesn't match the client's set of hash algorithms.  Make sure
+      # to only used the repo's selected hashing algorithms.
      hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
      securesystemslib.settings.HASH_ALGORITHMS = key_metadata['keyid_hash_algorithms']
      key_object, keyids = securesystemslib.keys.format_metadata_to_key(key_metadata)