Description

We tested signing on https://console.stage.redhat.com  and you can attach any MANIFEST.json.asc file to a collection as long as it is signed with the correct key, even if it is from another collection. No error is thrown from either the signature upload or when it is approved. We are not sure if this is expected behavior or a bug.  

The Upload Signature button also disappears after uploading one signature and does not allow a replacement upload. This is pre-approval on the approval dashboard. 

Key Dependency Versions

N/A

Steps to Reproduce

Uploaded ibm.ibm_zosmf:1.1.0 as a new collection.

As a test, sign the MANIFEST.json file of ibm.ibm_spectrum_virtualize:1.7.0 with the automationhub1 key and upload the resulting .asc file as the signature for ibm.ibm_zosmf:1.1.0.

No error is given. The signature button disappears after first signature upload and does not allow replacement. Collection can be approved and moved to published without error. 

Actual Behavior

Collection is approved with incorrect MANIFEST.json.asc file attached.

Signatures cannot be replaced on the approval dashboard once one is uploaded.

Expected Behavior

AH throws an error when attaching the incorrect .asc file pre-approval. 

Signatures should be able to be replaced on the approval dashboard pre-approval.