[Rpm-ecosystem] Two signatures?

Jeff Johnson n3npq at me.com
Fri Jun 1 16:35:13 UTC 2018

Sent from my iPad

> On May 31, 2018, at 10:02 AM, Panu Matilainen <pmatilai at redhat.com> wrote:
> Short version:
> As of all rpm versions in the last 15+ years, --addsign/--resign do the same thing which is replace any existing signature, so no, you cannot pile them on.

The --addsign/--resign options were made identical when it became clear that most users did not understand the difference in usage.

One of those users was the RedHat Director of Engineering, responsible for signing RHL releases, who managed to sign RHL 7.3 twice, with different signatures.

So the CLI options were dumbed down and simplified to increase the quality of the RHL product.

Meanwhile what is really needed is a trust or binding signature. E.g. current RPM4 does not verify (last I checked) the userid packet binding signature, so it's possible to mislead a user into thinking a package is signed by, say, RedHat by replacing the userid textual string.

Sure other tools can be used to detect that sort of alteration, just rpm is not one of those tools.


More information about the Rpm-ecosystem mailing list