Skip to content

Fix threshold counting for duplicate public keys#733

Merged
rdimitrov merged 1 commit into
masterfrom
chrome-runner
May 19, 2026
Merged

Fix threshold counting for duplicate public keys#733
rdimitrov merged 1 commit into
masterfrom
chrome-runner

Conversation

@rdimitrov
Copy link
Copy Markdown
Contributor

@rdimitrov rdimitrov commented May 19, 2026

Summary

  • Count verified threshold contributions by resolved public key fingerprint instead of key ID.
  • Prevent duplicate key records for the same public key from satisfying multi-key thresholds.
  • Add regression coverage for ECDSA, Ed25519, and RSA duplicate-public-key cases.

Testing

  • go test ./metadata -run 'TestVerifyDelegate(Duplicate|Threshold|$)' -count=1 -v

Copilot AI review requested due to automatic review settings May 19, 2026 07:53
@rdimitrov rdimitrov requested a review from a team as a code owner May 19, 2026 07:53
Copilot AI reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes delegation threshold verification so duplicate metadata key records that resolve to the same public key cannot satisfy multi-key thresholds by themselves.

Changes:

  • Counts verified threshold contributions by SHA-256 fingerprint of the resolved public key.
  • Adds regression tests for duplicate public keys across ECDSA, Ed25519, and RSA cases.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
metadata/metadata.go Uses PKIX public-key fingerprints instead of key IDs when counting verified threshold contributors.
metadata/metadata_test.go Adds duplicate-public-key regression coverage for delegated target verification.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@rdimitrov
Fix threshold counting for duplicate public keys
a674db2 
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
kommendorkapten
kommendorkapten approved these changes May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@kommendorkapten kommendorkapten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, looks good.

@rdimitrov rdimitrov merged commit f5edbde into master May 19, 2026
26 checks passed
@rdimitrov rdimitrov deleted the chrome-runner branch May 19, 2026 08:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kommendorkapten kommendorkapten kommendorkapten approved these changes

Assignees

No one assigned

Labels

None yet

Projects

go-tuf/v2 project planning
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rdimitrov @kommendorkapten