Possible bug in skipping keys when keyIDs don't match

Currently, [this line](https://github.com/secure-systems-lab/go-securesystemslib/blob/69233cc2977ebd65aef18b14e4ee26fe090c5146/dsse/verify.go#L69) appears to be incorrectly skipping a key when its keyID don't match the one from the signature.

For example, if the key's keyID is missing and [needs](https://github.com/secure-systems-lab/go-securesystemslib/blob/69233cc2977ebd65aef18b14e4ee26fe090c5146/dsse/verify.go#L64-L66) to be computed, then the error would be nonnil, and the keyID would be empty, but it appears that the IF condition above wouldn't catch it.

The IF condition above seems to be making the mistake of doing two things in one (handling edge cases and but also catching an error). The impact shouldn't be high as the [next](https://github.com/secure-systems-lab/go-securesystemslib/blob/69233cc2977ebd65aef18b14e4ee26fe090c5146/dsse/verify.go#L74-L76) error handling should ultimately skip any mismatching keys anyway (unless there is a bug in the key's verifier itself). I recommend simplifying the IF condition do to what was actually intended.

Cc @adityasaky 

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Possible bug in skipping keys when keyIDs don't match #85

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Possible bug in skipping keys when keyIDs don't match #85

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions