Metadata API: preserve Role.keyids order

We made Role.keyids a set because the keyids are supposed
to be unique and this still makes sense.

However, the data should also preserve order
(when deserialized and serialized) and currently, it does not.
This is fairly serious since writing signed data potentially modifies
the data (making the signature invalid).

The simplest solution (as proposed by Teodora) is to sort the
set during serialization and that would ensure the order of the items.

Signed-off-by: Martin Vrachev <[email protected]>

Author: Martin Vrachev

tests/test_metadata_serialization.py

@@ -141,6 +141,7 @@ def test_invalid_role_serialization(self, test_case_data: Dict[str, str]):
 
     valid_roles: DataSet = {
         "all": '{"keyids": ["keyid"], "threshold": 3}',
+        "many keyids": '{"keyids": ["a", "b", "c", "d", "e"], "threshold": 1}',
         "unrecognized field": '{"keyids": ["keyid"], "threshold": 3, "foo": "bar"}',
     }
 

tuf/api/metadata.py

@@ -554,7 +554,7 @@ def from_dict(cls, role_dict: Dict[str, Any]) -> "Role":
     def to_dict(self) -> Dict[str, Any]:
         """Returns the dictionary representation of self."""
         return {
-            "keyids": list(self.keyids),
+            "keyids": sorted(self.keyids),
             "threshold": self.threshold,
             **self.unrecognized_fields,
         }