Fully specify all fields within signatures

specification.md

@@ -32,13 +32,16 @@ The signature format is a JSON message of the following form:
  "payload": "<Base64(SERIALIZED_BODY)>",
  "payloadType": "<PAYLOAD_TYPE>",
  "signatures": [{
- …,
+ "keyid": "<KEYID>",
  "sig": "<Base64(Sign(PAE([UTF8(PAYLOAD_TYPE), SERIALIZED_BODY])))>"
- }, …]
+ }]
 }
 ```
 
-where:
+Empty fields may be omitted. [Multiple signatures](#multiple-signatures) are
+allowed.
+
+Parameters:
 
 * SERIALIZED_BODY is the byte sequence to be signed.
 
@@ -54,6 +57,11 @@ where:
  - https://theupdateframework.com/Root/v1.0.5
  - etc...
 
+* KEYID is an optional, unauthenticated hint indicating what key was used to
+ sign the message. It **must not** be used for security decisions.
+
+Functions:
+
 * PAE() is the
  [PASETO Pre-Authentication Encoding](https://github.com/paragonie/paseto/blob/master/docs/01-Protocol-Versions/Common.md#authentication-padding),
  where parameters `type` and `body` are byte sequences:
@@ -81,6 +89,7 @@ To sign:
 - Serialize BODY according to PAYLOAD_TYPE. Call the result SERIALIZED_BODY.
 - Sign PAE([UTF8(PAYLOAD_TYPE), SERIALIZED_BODY]), base64-encode the result,
  and store it in `sig`.
+- Optionally, compute a KEYID and store it in `keyid`.
 - Base64-encode SERIALIZED_BODY and store it in `payload`.
 - Store PAYLOAD_TYPE in `payloadType`.
 
@@ -108,9 +117,9 @@ valid while avoiding the verifier from having to use [Canonical JSON].
  "payload": "<Base64(CanonicalJson(BODY))>",
  "payloadType": "<URI>/backwards-compatible-json",
  "signatures" : [{
- …,
- "sig" : "<Base64(Sign(CanonicalJson(BODY)))>"
- }, …]
+ "keyid": "<KEYID>",
+ "sig": "<Base64(Sign(CanonicalJson(BODY)))>"
+ }]
 }
 ```
 
@@ -121,6 +130,7 @@ To sign:
 - BODY **must** be an object type (`{...}`).
 - Serialize BODY as [Canonical JSON]; call this SERIALIZED_BODY.
 - Sign SERIALIZED_BODY, base64-encode the result, and store it in `sig`.
+- Optionally, compute a KEYID and store it in `keyid`.
 - Base64-encode SERIALIZED_BODY and store it in `payload`.
 - Store `"<URI>/backwards-compatible-json"` in `payloadType`.
 
@@ -144,6 +154,25 @@ This scheme is safe from rollback attacks because the first byte of
 SERIALIZED_BODY must be 0x7b (`{`) in backwards compatibility mode and 0x02 in
 regular mode.
 
+### Multiple signatures
+
+A file may have more than one signature, which is equivalent to separate files
+with individual signatures.
+
+```json
+{
+ "payload": "<Base64(SERIALIZED_BODY)>",
+ "payloadType": "<PAYLOAD_TYPE>",
+ "signatures": [{
+ "keyid": "<KEYID_1>",
+ "sig": "<SIG_1>"
+ }, {
+ "keyid": "<KEYID_2>",
+ "sig": "<SIG_2>"
+ }]
+}
+```
+
 ### Optional changes to wrapper
 
 The standard wrapper is JSON with an explicit `payloadType`. Optionally,
@@ -278,9 +307,9 @@ used by TUF and in-toto has a BODY that is a regular JSON object and a signature
 {
  "signed": <BODY>,
  "signatures": [{
- …,
+ "keyid": "<KEYID>",
  "sig": "<Hex(Sign(CanonicalJson(BODY)))>"
- }, …]
+ }]
 }
 ```
 
@@ -299,11 +328,13 @@ To convert an existing signature to the new format:
 - `new.payload = base64encode(CanonicalJson(orig.signed))`
 - `new.payloadType = "<URI>/backwards-compatible-json"`
 - `new.signatures[*].sig = base64encode(hexdecode(orig.signatures[*].sig))`
+- `new.signatures[*].keyid = orig.signatures[*].keyid`
 
 To convert a backwards compatible signature to the old format:
 
 - `old.signed = jsonparse(base64decode(new.payload))`
 - `old.signatures[*].sig = hexencode(base64decode(new.signatures[*].sig))`
+- `old.signatures[*].keyid = new.signatures[*].keyid`
 
 ## Testing