mirror of
https://github.com/theupdateframework/python-tuf
synced 2026-05-24 10:08:28 +00:00
Remove client check of the keyid calculation. This check is redundant as the keyid is provided in signed metadata. Removing this check allows the client to avoid use of the keyid_hash_algorithm field during verification. Note that this change requires a small change to the securesystemslib api.
Signed-off-by: marinamoore <mmoore32@calpoly.edu>
This commit is contained in:
parent
e095112be7
commit
9fa92e2286
1 changed files with 3 additions and 11 deletions
|
|
@ -951,18 +951,10 @@ def _import_delegations(self, parent_role):
|
|||
# We specify the keyid to ensure that it's the correct keyid
|
||||
# for the key.
|
||||
try:
|
||||
key, keyids = securesystemslib.keys.format_metadata_to_key(keyinfo, keyid)
|
||||
|
||||
# The repo may have used hashing algorithms for the generated keyids
|
||||
# that doesn't match the client's set of hash algorithms. Make sure
|
||||
# to only used the repo's selected hashing algorithms.
|
||||
hash_algorithms = securesystemslib.settings.HASH_ALGORITHMS
|
||||
securesystemslib.settings.HASH_ALGORITHMS = keyinfo['keyid_hash_algorithms']
|
||||
key, keyids = securesystemslib.keys.format_metadata_to_key(keyinfo)
|
||||
securesystemslib.settings.HASH_ALGORITHMS = hash_algorithms
|
||||
|
||||
for key_id in keyids:
|
||||
key['keyid'] = key_id
|
||||
tuf.keydb.add_key(key, keyid=None, repository_name=self.repository_name)
|
||||
key['keyid'] = keyid
|
||||
tuf.keydb.add_key(key, keyid=None, repository_name=self.repository_name)
|
||||
|
||||
except tuf.exceptions.KeyAlreadyExistsError:
|
||||
pass
|
||||
|
|
|
|||
Loading…
Reference in a new issue