Skip to content

Address VerifyDelegate last-wins signature selection and uniqueness c…#748

Open
udf2457 wants to merge 1 commit into
theupdateframework:masterfrom
udf2457:verifydelegate
Open

Address VerifyDelegate last-wins signature selection and uniqueness c…#748
udf2457 wants to merge 1 commit into
theupdateframework:masterfrom
udf2457:verifydelegate

Conversation

@udf2457

@udf2457 udf2457 commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

At present VerifyDelegate has no break and the last matching signature wins silently.

Adding the break statement makes it clear we only want one signature per keyID. In addition, it is slightly more efficient as we stop searching after finding a match

Second, adding some defense in depth by catching duplicate keyIDs both during loading and verification.

…heck

At present `VerifyDelegate` has no `break` and the last matching signature wins silently.

Adding the `break` statement makes it clear we only want one signature per keyID.  In addition, it is slightly more efficient as we stop searching after finding a match

Second, adding some defense in depth by catching duplicate keyIDs both during loading and verification.

Signed-off-by: udf2457 <udf2457@users.noreply.github.com>
@udf2457
udf2457 requested a review from a team as a code owner June 19, 2026 11:57
Copilot AI review requested due to automatic review settings June 19, 2026 11:57

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens delegated-metadata signature verification in Metadata.VerifyDelegate by preventing ambiguous “last match wins” behavior and adding explicit validation to reject duplicate signature keyIDs.

Changes:

  • Adds an early duplicate-signature (duplicate keyID) check for delegated metadata passed into VerifyDelegate.
  • Makes signature selection deterministic and slightly more efficient by breaking out of signature scans after the first matching keyID is found.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread metadata/metadata.go
Comment on lines +261 to +263
// Early check for duplicate signatures in the delegated metadata
switch d := delegatedMetadata.(type) {
case *Metadata[RootType]:
Comment thread metadata/metadata.go
Comment on lines +261 to +279
// Early check for duplicate signatures in the delegated metadata
switch d := delegatedMetadata.(type) {
case *Metadata[RootType]:
if err := checkUniqueSignatures(*d); err != nil {
return err
}
case *Metadata[SnapshotType]:
if err := checkUniqueSignatures(*d); err != nil {
return err
}
case *Metadata[TimestampType]:
if err := checkUniqueSignatures(*d); err != nil {
return err
}
case *Metadata[TargetsType]:
if err := checkUniqueSignatures(*d); err != nil {
return err
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

2 participants