Metadata API: Use OrderedDict for signatures

Jussi Kukkonen · Jussi Kukkonen · commit 760d453d24ce · 2021-06-03T11:18:45.000+03:00
Dict ordering is part of regular Dict from Python 3.7: Use OrderedDict
for signatures to make sure signatures are serialized in a reproducible
order even on 3.6.

The added benefit is that reader will immediately understand that the
order has some significance.

Signed-off-by: Jussi Kukkonen &lt;jkukkonen@vmware.com&gt;
diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py
@@ -18,7 +18,17 @@
 import abc
 import tempfile
 from datetime import datetime, timedelta
-from typing import Any, ClassVar, Dict, List, Mapping, Optional, Tuple, Type
+from typing import (
+    Any,
+    ClassVar,
+    Dict,
+    List,
+    Mapping,
+    Optional,
+    OrderedDict,
+    Tuple,
+    Type,
+)
 
 from securesystemslib.keys import verify_signature
 from securesystemslib.signer import Signature, Signer
@@ -48,11 +58,13 @@ class Metadata:
         signed: A subclass of Signed, which has the actual metadata payload,
             i.e. one of Targets, Snapshot, Timestamp or Root.
 
-        signatures: A dict of keyids to Securesystemslib Signature objects,
-            each signing the canonical serialized representation of 'signed'.
+        signatures: An ordered dictionary of keyids to Signature objects, each
+            signing the canonical serialized representation of 'signed'.
     """
 
-    def __init__(self, signed: "Signed", signatures: Dict[str, Signature]):
+    def __init__(
+        self, signed: "Signed", signatures: OrderedDict[str, Signature]
+    ):
         self.signed = signed
         self.signatures = signatures
 
@@ -89,7 +101,7 @@ def from_dict(cls, metadata: Dict[str, Any]) -> "Metadata":
             raise ValueError(f'unrecognized metadata type "{_type}"')
 
         # Make sure signatures are unique
-        signatures: Dict[str, Signature] = {}
+        signatures = OrderedDict[str, Signature]()
         for sig_dict in metadata.pop("signatures"):
             sig = Signature.from_dict(sig_dict)
             if sig.keyid in signatures:
@@ -249,7 +261,9 @@ def sign(
         if append:
             self.signatures[signature.keyid] = signature
         else:
-            self.signatures = {signature.keyid: signature}
+            self.signatures = OrderedDict[str, Signature](
+                {signature.keyid: signature}
+            )
 
         return signature
 
