fix(crypto): Only upload our own signature when verifying user identities

Author: poljar

crates/matrix-sdk-crypto/src/olm/signing/mod.rs

@@ -779,6 +779,9 @@ mod test {
 
         let master = user_signing.sign_user(&bob_public).await.unwrap();
 
+        let num_signatures: usize = master.signatures.iter().map(|(_, u)| u.len()).sum();
+        assert_eq!(num_signatures, 1, "We're only uploading our own signature");
+
         bob_public.master_key = master.into();
 
         user_signing.public_key.verify_master_key(bob_public.master_key()).unwrap();

crates/matrix-sdk-crypto/src/olm/signing/pk_signing.rs

@@ -207,10 +207,10 @@ impl UserSigning {
         &self,
         user: &ReadOnlyUserIdentity,
     ) -> Result<CrossSigningKey, SignatureError> {
-        let signature = self.sign_user_helper(user).await?;
+        let signatures = self.sign_user_helper(user).await?;
         let mut master_key: CrossSigningKey = user.master_key().to_owned().into();
 
-        master_key.signatures.extend(signature);
+        master_key.signatures = signatures;
 
         Ok(master_key)
     }