Merge pull request #1091 from mnm678/check-key-uniqueness

Each key applies to signature threshold once

Author: joshuagl

tests/test_sig.py

@@ -436,9 +436,9 @@ def test_verify_count_different_keyids_for_same_key_towards_threshold(self):
     tuf.keydb.add_key(key_sha256)
     tuf.keydb.add_key(key_sha512)
 
-    # Assert that both keys count towards threshold although its the same key
+    # Assert that the key only counts toward the threshold once
     keyids = [key_sha256["keyid"], key_sha512["keyid"]]
-    self.assertTrue(
+    self.assertFalse(
         tuf.sig.verify(signable, "root", keyids=keyids, threshold=2))
 
     # Clean-up keydb

tuf/sig.py

@@ -245,8 +245,7 @@ def verify(signable, role, repository_name='default', threshold=None,
     NOTE:
     - Signatures with identical authorized keyids only count towards the
       threshold once.
-    - Signatures with different authorized keyids each count towards the
-      threshold, even if the keyids identify the same key.
+    - Signatures with the same key only count toward the threshold once.
 
   <Arguments>
     signable:
@@ -307,7 +306,12 @@ def verify(signable, role, repository_name='default', threshold=None,
   if threshold is None or threshold <= 0: #pragma: no cover
     raise securesystemslib.exceptions.Error("Invalid threshold: " + repr(threshold))
 
-  return len(set(good_sigs)) >= threshold
+  unique_keys = set()
+  for keyid in good_sigs:
+    key = tuf.keydb.get_key(keyid, repository_name)
+    unique_keys.add(key['keyval']['public'])
+
+  return len(unique_keys) >= threshold