Fix setup role (#511)

* fix: fix setup role when public key specified in keys-description * chore: formatting * chore: fix mypy error * chore: update changelog
openlawlibrary · Aug 23, 2024 · a163ea2 · a163ea2
1 parent f94b9c3
commit a163ea2
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -40,6 +40,9 @@ and this project adheres to [Semantic Versioning][semver].
 
 ### Fixed
 
+- Fix setup role when specifying public keys in keys-description ([511])
+
+[511]: https://github.com/openlawlibrary/taf/pull/511
 [508]: https://github.com/openlawlibrary/taf/pull/508
 [504]: https://github.com/openlawlibrary/taf/pull/504
 [494]: https://github.com/openlawlibrary/taf/pull/494

diff --git a/taf/api/targets.py b/taf/api/targets.py
@@ -368,7 +368,7 @@ def register_target_files(
         prompt_for_keys=prompt_for_keys,
     )
 
-    if write:
+    if updated and write:
         taf_repo.writeall()
         if commit:
             auth_repo = AuthenticationRepository(path=taf_repo.path)

diff --git a/taf/api/utils/_roles.py b/taf/api/utils/_roles.py
@@ -1,3 +1,4 @@
+import tuf
 from logging import DEBUG, INFO
 from typing import Dict, List, Optional, Union
 from functools import partial
@@ -95,7 +96,7 @@ def get_roles_and_paths_of_key(
 @log_on_end(DEBUG, "Finished setting up role {role.name:s}", logger=taf_logger)
 def setup_role(
     role: Role,
-    repository: Repository,
+    repository: TUFRepository,
     verification_keys: Dict,
     signing_keys: Optional[Dict] = None,
     parent: Optional[Targets] = None,
@@ -125,6 +126,14 @@ def setup_role(
                 role_obj.add_external_signature_provider(
                     key, partial(yubikey_signature_provider, key_name, key["keyid"])
                 )
+        # Even though we add all verification keys (public keys directly specified in the keys-description)
+        # and those loaded from YubiKeys, only those directly specified in keys-description are registered
+        # as previous_keys
+        # this means that TUF expects at least one of those signing keys to be present
+        # we are setting up this role, so there should be no previous keys
+        tuf.roledb._roledb_dict[repository._repository_name][role.name][
+            "previous_keyids"
+        ] = []
 
 
 def _role_obj(