Multiple signatures in the same OpenPGP messsage

[robertohueso]

https://github.com/containers/container-libs/blob/cacf85512cdeea00364bae0bef9f612e51126aa3/image/docs/containers-signature.5.md mentions An image can have any number of signatures so signature distribution systems SHOULD support associating more than one signature with an image. but it's not totally clear to me if the expectation is:

1. The OpenPGP message must include a single signature (so multiple OpenPGP messages must be generated with their associated container-signature).
2. The OpenPGP message can include multiple signatures (so a single container-signature may contain multiple signatures).

Can you provide some clarification on this? :)

[mtrmac]

It is 1; https://github.com/containers/container-libs/blob/cacf85512cdeea00364bae0bef9f612e51126aa3/image/docs/signature-protocols.md documents how the individual signatures are represented as separate blobs.

[robertohueso]

Thank you @mtrmac! After reading that doc, it's true that it hints option 1 is the expectation, but it still doesn't sound explicit/clear enough to me.

My concern is that according to containers-signature.5.md: The blob MUST be a “Signed Message” as defined RFC 4880 section 11.3.. If we look at the RFC, it says: Signed Message :- Signature Packet, OpenPGP Message | One-Pass Signed Message. and it also defines OpenPGP Message :- Encrypted Message | Signed Message | Compressed Message | Literal Message.. If we put everything together, a Signed Message can also be a sequential composition of Signed Messages.

That's why I believe it makes sense to make it explicit in https://github.com/containers/container-libs/blob/cacf85512cdeea00364bae0bef9f612e51126aa3/image/docs/containers-signature.5.md.

I created PR #426 so that you can see what are the proposed changes.

What do you think?