secure-systems-lab · lukpueh · Apr 3, 2024 · Mar 9, 2024 · Mar 12, 2024 · Mar 12, 2024
diff --git a/securesystemslib/dsse.py b/securesystemslib/dsse.py
@@ -17,12 +17,15 @@ class Envelope:
     Attributes:
         payload: Arbitrary byte sequence of serialized body.
         payload_type: string that identifies how to interpret payload.
-        signatures: list of Signature.
+        signatures: dict of Signature key id and Signatures.
 
     """
 
     def __init__(
-        self, payload: bytes, payload_type: str, signatures: List[Signature]
+        self,
+        payload: bytes,
+        payload_type: str,
+        signatures: Dict[str, Signature],
     ):
         self.payload = payload
         self.payload_type = payload_type
@@ -58,18 +61,23 @@ def from_dict(cls, data: dict) -> "Envelope":
         payload = b64dec(data["payload"])
         payload_type = data["payloadType"]
 
-        signatures = []
+        signatures = {}
         for signature in data["signatures"]:
             signature["sig"] = b64dec(signature["sig"]).hex()
-            signatures.append(Signature.from_dict(signature))
+            signature = Signature.from_dict(signature)
+            if signature.keyid in signatures:
+                raise ValueError(
+                    f"Multiple signatures found for keyid {signature.keyid}"
+                )
+            signatures[signature.keyid] = signature
 
         return cls(payload, payload_type, signatures)
 
     def to_dict(self) -> dict:
         """Returns the JSON-serializable dictionary representation of self."""
 
         signatures = []
-        for signature in self.signatures:
+        for signature in list(self.signatures.values()):
             sig_dict = signature.to_dict()
             sig_dict["sig"] = b64enc(bytes.fromhex(sig_dict["sig"]))
             signatures.append(sig_dict)
@@ -101,7 +109,7 @@ def sign(self, signer: Signer) -> Signature:
         """
 
         signature = signer.sign(self.pae())
-        self.signatures.append(signature)
+        self.signatures[signature.keyid] = signature
 
         return signature
 
@@ -140,7 +148,7 @@ def verify(self, keys: List[Key], threshold: int) -> Dict[str, Key]:
         if len(keys) < threshold:
             raise ValueError("Number of keys can't be less than threshold")
 
-        for signature in self.signatures:
+        for signature in list(self.signatures.values()):
             for key in keys:
                 # If Signature keyid doesn't match with Key, skip.
                 if not key.keyid == signature.keyid:

diff --git a/tests/test_dsse.py b/tests/test_dsse.py
@@ -38,7 +38,7 @@ def test_envelope_from_to_dict(self):
 
         # create envelope object from its dict.
         envelope_obj = Envelope.from_dict(envelope_dict)
-        for signature in envelope_obj.signatures:
+        for signature in list(envelope_obj.signatures.values()):
             self.assertIsInstance(signature, Signature)
 
         # Assert envelope dict created by to_dict will be equal.
@@ -105,7 +105,7 @@ def test_sign_and_verify(self):
 
         # Check for signatures of Envelope.
         self.assertEqual(len(self.key_dicts), len(envelope_obj.signatures))
-        for signature in envelope_obj.signatures:
+        for signature in list(envelope_obj.signatures.values()):
             self.assertIsInstance(signature, Signature)
 
         # Test for invalid threshold value for keys_list.