[bug] client/testadata/Published2Times_keyrotated_invalidOldRootSignature is incorrect

[asraa]

Blocks #370

The client test:

go-tuf/client/client_test.go

Line 520 in 3890c1e

{"testdata/Published2Times_keyrotated_invalidOldRootSignature", errors.New("tuf: signature verification failed"), map[string]int64{}},

intended on validating that the client will fail with the old root key did not sign the new root. It currently passes on a correct error. The error is due to an invalid signature on the new root:

$ cat client/testdata/Published2Times_keyrotated_invalidOldRootSignature/server/metadata/2.root.json | jq
{
  "signatures": [
    {
      "keyid": "05e17c1501d627b2597322f80d33aacec6f30a507552d3326a88913422b0e30b",
      "sig": "000000"
    },

BUT! Critically: this was the NEW added key. The old key did sign the new root. And because it's also part of the new root's trusted root keys, that single signature suffices the update.

In reality, this was a VALID update, because the threshold is 1, and the old key correctly signed both the old and new root.

In order to fix, note that

1. the testcase client/testdata/Published2Times_keyrotated_invalidNewRootSignature is actually the one testing tampering of the old root signature.
2. this testcase should have revoked the old key.

[trishankatdatadog]

Yeap, I think @ethan-lowman-dd and I ran into this while trying to fix it during #369

[rdimitrov]

Closing since the code base changed and this is no longer valid.

Thanks for raising this 👍