Adopt upstream DSSE model change

Adopt `securesystemslib.dsse.Envelope.signatures` type change from list to dict (secure-systems-lab/securesystemslib/pull/743) in `in_toto.models.metadata.Envelope` subclass. Signed-off-by: Lukas Puehringer <[email protected]>
lukpueh · Apr 29, 2024 · 550a8d9 · 550a8d9
1 parent e211d31
commit 550a8d9
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 8 deletions.
diff --git a/in_toto/in_toto_sign.py b/in_toto/in_toto_sign.py
@@ -72,7 +72,7 @@ def _sign_and_dump_metadata(metadata, args):
 
     try:
         if not args.append:
-            metadata.signatures = []
+            metadata.signatures.clear()
 
         signature = None
         # If the cli tool was called with `--gpg [KEYID ...]` `args.gpg` is

diff --git a/in_toto/models/metadata.py b/in_toto/models/metadata.py
@@ -156,7 +156,7 @@ def from_signable(cls, signable: Signable) -> "Envelope":
         return cls(
             payload=json_bytes,
             payload_type=ENVELOPE_PAYLOAD_TYPE,
-            signatures=[],
+            signatures={},
         )
 
     def create_signature(self, signer: Signer) -> Signature:

diff --git a/in_toto/runlib.py b/in_toto/runlib.py
@@ -41,7 +41,7 @@
 import securesystemslib.exceptions
 import securesystemslib.formats
 import securesystemslib.hash
-from securesystemslib.signer import Key, Signature, Signer
+from securesystemslib.signer import Key, Signer
 
 import in_toto.exceptions
 import in_toto.settings
@@ -994,12 +994,16 @@ def in_toto_record_stop(
         LOG.info(
             "Verifying preliminary link signature using default gpg key..."
         )
-        # signatures are objects in DSSE.
-        sig = link_metadata.signatures[0]
-        if isinstance(sig, Signature):
-            keyid = sig.keyid
+
+        # The `signatures` field is not part of the common Envelope/Metablock
+        # interface, so we need to case handle. Note that we shouldn't be
+        # accessing `signatures` here in the first place (see FIXME above).
+        if isinstance(link_metadata, Envelope):
+            keyid = link_metadata.signatures.values()[0].keyid
+
         else:
-            keyid = sig["keyid"]
+            keyid = link_metadata.signatures[0]["keyid"]
+
         gpg_pubkey = securesystemslib._gpg.functions.export_pubkey(
             keyid, gpg_home
         )