Conflicting signature keyid uniqueness requirements

[lukpueh]

This paragraph from the metadata format section ...

The keyid MUST be unique in the "signatures" array: multiple
signatures with the same keyid are not allowed.

... seems to conflict with these paragraphs from the metadata format section ...

Note: The "signatures" list SHOULD only contain one SIGNATURE per
KEYID. This helps prevent multiple signatures by the same key

... and the client workflow section ...

Even if a KEYID is listed more than once in the
"signatures" list a client MUST NOT count more than one verified
SIGNATURE from that KEYID towards the THRESHOLD.

[jku]

was this meant for the spec repo?

I think what happened was that the first quote and the second quote were worked on at the same time in separate PRs... Seconds one was just merged two years later.

[lukpueh]

was this meant for the spec repo?

Oops. Yes. Sorry. Let me transfer.

I think what happened was that the first quote and the second quote were worked on at the same time in separate PRs... Seconds one was just merged two years later.

I think so too. Still seems worthy to fix.

[JustinCappos]

What do you think the best resolution is?

…

On Mon, Aug 19, 2024 at 5:58 AM Lukas Pühringer ***@***.***> wrote: This paragraph from the metadata format section <https://github.com/theupdateframework/specification/blob/258ad50dd7fdb77e77e651b186a3468d4039ccdb/tuf-spec.md#L543-L544> ... The keyid MUST be unique in the "signatures" array: multiple signatures with the same keyid are not allowed. ... seems to conflict with these paragraphs from the metadata format section <https://github.com/theupdateframework/specification/blob/258ad50dd7fdb77e77e651b186a3468d4039ccdb/tuf-spec.md#L550-L551> ... Note: The "signatures" list SHOULD only contain one SIGNATURE per KEYID. This helps prevent multiple signatures by the same key ... and the client workflow section <https://github.com/theupdateframework/specification/blob/258ad50dd7fdb77e77e651b186a3468d4039ccdb/tuf-spec.md#L1337-L1339> ... Even if a KEYID is listed more than once in the "signatures" list a client MUST NOT count more than one verified SIGNATURE from that KEYID towards the THRESHOLD. — Reply to this email directly, view it on GitHub <#308>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGROD77PRRLJWOCCKPVZ7LZSG6S7AVCNFSM6AAAAABMXPQPNSVHI2DSMVQWIX3LMV43ASLTON2WKOZSGQ3TEOJVGI4DGMI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>