Summary
The artifact-signing fix in 617378fc ("fix: issuer signature in golden path dropping") is correct and
important — auths sign <file> was producing device-only attestations that failed verification with
"missing issuer signature". The fix makes a file attestation always carry an issuer signature. But the
fallback when no --key is given assumes the device key is the issuer key, which is only true for a
single-key identity.
Where
crates/auths-cli/src/commands/artifact/sign.rs:
// A file attestation must be attributable to the signing identity, so it always
// carries an issuer signature: use the explicit `--key` when given, otherwise the
// same key that signs as the device (for a single-key identity they are one key).
identity_key: Some(SigningKeyMaterial::Alias(KeyAlias::new_unchecked(
key.unwrap_or(device_key),
))),The concern
For a single-key identity this is correct (device and issuer are the same key — the comment says so,
and the new test_golden_path_artifact_sign_verify covers it). For a multi-key identity, falling back
to device_key as the issuer signer may be wrong:
- the device key may not be the authoritative issuer key for that identity, so the attestation's "issuer
signature" could be produced by the wrong key; and/or
- it collapses issuer == device when they are meant to be distinct, which a verifier may (or may not)
accept depending on how the issuer slot is checked.
Ask
Confirm the multi-key path, then pick one:
- It's fine — multi-key identities always pass
--key, and that's enforced/documented. Add a test
that asserts the fallback is only reachable for single-key identities (or that sign errors clearly if
no --key is given on a multi-key identity).
- It's wrong — the fallback should resolve the identity's actual issuer key rather than assume
device_key. Add a multi-key sign → verify test.
Severity
Low–medium. The single-key default works and is regression-tested; this only matters if artifact signing
is relied on for multi-key identities without an explicit --key. Worth a glance before that path is
trusted.
Summary
The artifact-signing fix in
617378fc("fix: issuer signature in golden path dropping") is correct andimportant —
auths sign <file>was producing device-only attestations that failed verification with"missing issuer signature". The fix makes a file attestation always carry an issuer signature. But the
fallback when no
--keyis given assumes the device key is the issuer key, which is only true for asingle-key identity.
Where
crates/auths-cli/src/commands/artifact/sign.rs:The concern
For a single-key identity this is correct (device and issuer are the same key — the comment says so,
and the new
test_golden_path_artifact_sign_verifycovers it). For a multi-key identity, falling backto
device_keyas the issuer signer may be wrong:signature" could be produced by the wrong key; and/or
accept depending on how the issuer slot is checked.
Ask
Confirm the multi-key path, then pick one:
--key, and that's enforced/documented. Add a testthat asserts the fallback is only reachable for single-key identities (or that
signerrors clearly ifno
--keyis given on a multi-key identity).device_key. Add a multi-keysign → verifytest.Severity
Low–medium. The single-key default works and is regression-tested; this only matters if artifact signing
is relied on for multi-key identities without an explicit
--key. Worth a glance before that path istrusted.