Sort signatures by keys IDs for deterministic signature order

[ethan-lowman-dd]

In the course of implementing delegations in the repo writer (WIP branch), I had to change how keys are stored internally, which introduced non-determinism in the order of signatures. This caused tests which relied on fixtures to become flaky, as the order of signatures was not consistent. In order to keep support for static fixtures (using deterministic signature schemes like Ed25519), this PR sorts signatures by key ID.

I regenerated the fixtures using regenerate-metadata.sh, which reordered signatures of root.json, and updated dependent hashes.

I also updated the two tests that made assertions about signature/key slices to disregard order. In the process I fixed a test on line 1174 of repo_test.go which was comparing expected to itself rather than comparing expected to actual.

[coveralls]

Pull Request Test Coverage Report for Build 1338037733

• 31 of 35 (88.57%) changed or added relevant lines in 2 files are covered.
• 26 unchanged lines in 3 files lost coverage.
• Overall coverage increased (+0.2%) to 67.809%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
internal/signer/sort.go	22	26	84.62%

Files with Coverage Reduction	New Missed Lines	%
pkg/keys/keys.go	3	30.0%
data/types.go	11	59.02%
pkg/keys/rsa.go	12	61.8%

Totals
Change from base Build 1312286690:	0.2%
Covered Lines:	1959
Relevant Lines:	2889

---

💛 - Coveralls

[trishankatdatadog]

Best for @hosseinsia to review as it might affect fixtures in his #143 PR

[rdimitrov]

Apart from #143, it's also worth syncing with @asraa because of #148 as both of the PRs alter/depend on the same sign package.

In that sense, maybe it would be better to prioritize which of these should be merged first to avoid the burden of fixing conflicts afterwards?

[asraa]

Thanks! I'm not opposed to this change, but could you point me to where the testdata needed to be ordered?

I'm seeing a few checks in the interop_test/client_test but they don't seem to require ordering.

Just wondering if it makes more sense to change tests to test equality/expectation without ordering

[ethan-lowman-dd]

@asraa The tests that are flaky if signature order is nondeterministic are:

1. File hash checks against generated fixtures:
   • https://github.com/theupdateframework/go-tuf/blob/master/client/interop_test.go#L41-L48
2. Checking key IDs in order:
   • https://github.com/theupdateframework/go-tuf/blob/master/repo_test.go#L545-L548
   • https://github.com/theupdateframework/go-tuf/blob/master/repo_test.go#L1181-L1184

I addressed (1) by sorting signatures by key IDs and regenerating these fixtures. I addressed (2) by sorting keys IDs in the tests before making comparisons.

[hosseinsia]

LGTM!

[trishankatdatadog]

@ethan-lowman-dd need to resolve conflicts...

[ethan-lowman-dd]

Conflicts resolved -- need re-approvals to merge, since the commit dismissed the existing ones.

[hosseinsia]

LGTM!
Wonderful! Many thanks!