Metadata API: (maybe) Enforce public key content uniqueness in keys
See original GitHub issueRoot and targets have a keys
dictionary with keyid
as key. It would be nice to know for sure that these keys are actually unique keys (and not e.g. the same key content with two different keyids).
One solution would be to validate that the keyid is correct according to spec:
KEYID: … a hexdigest of the SHA-256 hash of the canonical form of the key.
Having looked at the securesystemslib implementation I don’t think we can consider keyid reproducible… what SSLib considers canonical form depends on the settings that were used on the machine that generated the key, and those settings are not stored on the key itself.
The other solution would be to validate key content uniqueness in the keys dict ourselves. This might make sense: we could just not accept a keys dictionary that contained two keys with identical key content – I don’t think there’s a non-malicious, non-error case where that would happen.
Issue Analytics
- State:
- Created 2 years ago
- Comments:10 (9 by maintainers)
Top GitHub Comments
Maybe yes?
Thanks. So to recap: