ipn/ipnlocal: allow multiple signature chains from the same SigCredential

Detection of duplicate Network Lock signature chains added in 01847e0123 failed to account for chains originating with a SigCredential signature, which is used for wrapped auth keys. This results in erroneous removal of signatures that originate from the same re-usable auth key. This change ensures that multiple nodes created by the same re-usable auth key are not getting filtered out by the network lock. Updates tailscale/corp#19764 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
2025-08-22 19:09:58 +00:00 · 2024-06-27 12:54:17 +01:00
parent 4651827f20
commit 781f79408d
4 changed files with 69 additions and 30 deletions
--- a/tka/sig.go
+++ b/tka/sig.go
@@ -313,9 +313,9 @@ type RotationDetails struct {
 	// PrevNodeKeys is a list of node keys which have been rotated out.
 	PrevNodeKeys []key.NodePublic

-	// WrappingPubkey is the public key which has been authorized to sign
+	// InitialSig is the first signature in the chain which led to
 	// this rotating signature.
-	WrappingPubkey []byte
+	InitialSig *NodeKeySignature
 }

 // rotationDetails returns the RotationDetails for a SigRotation signature.
@@ -339,7 +339,7 @@ func (s *NodeKeySignature) rotationDetails() (*RotationDetails, error) {
 		}
 		nested = nested.Nested
 	}
-	sri.WrappingPubkey = nested.WrappingPubkey
+	sri.InitialSig = nested
 	return sri, nil
 }