When aggregating signatures over the same message, we need to take care of a possible “rogue public key attack”.
Say your public key is $pk_1$, and the attacker has a secret key, $sk_2$. The attacker publishes $pk'2=sk_2⋅G-pk_1$ as a public key instead of publishing his true public key (that is, his real public key plus the inverse of yours). The attacker can sign a message $H(m)$ with his secret key to make the signature $\sigma=sk_2⋅H(m)$. He then publishes this claiming that it is an aggregate signature that both you and the attacker have signed, and that the aggregate public key is $pk{agg}=pk_1+pk'_2$.
Now, when verifying, his claim checks out: it looks like you signed the message when you didn’t: $e(\sigma,G)=e(sk_2⋅H(m),G)=e(H(m),sk_2⋅G)=e(H(m), pk_1+pk'_2)$
In cases where a threshold is expected to be met, a message can be signed without having a sufficient majority using this attack. One relatively simple defense against this is to force validators to register a “proof of possession” of the private key corresponding to their claimed public key. The attacker doesn’t have the $sk'_2$ corresponding to $pk'_2$. This can be done simply by getting the validator to sign its public key on registration: if the signature validates with that public key then all is well.
BLS threshold signatures are a type of cryptographic signature scheme that allows a group of participants to collectively sign a message while maintaining the properties of BLS signatures. In this system, m out of n signatories can sign the same message and verification can be done with a single group public key. To define the signature steps, we need to provide explanations for some terms first: