-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
empty (unused) signatures left in metadata #157
Comments
I think this might actually happen everytime a signer is removed. It cannot be too hard to figure out some improvement here: Options seem to be:
So the difference is mostly, do we want to make sure delegation changes don't break delegated metadata signatures (and how do we do it), see #95. Case 2 (we don't make those checks) is likely a lot easier |
I think what I want is:
|
yes we're hitting this:
I believe this same thing happens in almost every case of this bug, and the issue will resolve itself on the next metadata version... so I'm inclined to not do workarounds at least at this point. |
After some more thought:
My opinion is that clients should be able to process metadata with invalid signatures -- and if there are enough valid signatures, must consider the metadata valid. |
Agree! |
during the root-signing-staging import (sigstore/root-signing-staging#21) the registry.npmjs.org role was changed:
After signing the metadata looked like this:
That first empty signature should not be there: the metadata is valid but that should not happen
The text was updated successfully, but these errors were encountered: