[Rpm-ecosystem] Two signatures?
pmatilai at redhat.com
Thu May 31 14:02:16 UTC 2018
On 05/31/2018 04:40 PM, Miroslav Suchý wrote:
> In past, there was possible to add two or more signatures to rpm package. At least according to
> But when I checked current rpmsign, it seems that --addsign actually replace the previous signature.
> Is this correct? Or is there way to have two signatures on one package?
As of all rpm versions in the last 15+ years, --addsign/--resign do the
same thing which is replace any existing signature, so no, you cannot
pile them on.
Technically it's more complicated than that - there are always two
different signatures (one on the header and one on header + payload) but
always by same signer and algorithm for both. And technically, the
header could store more signatures, in particular DSA and RSA
simultaneously, it's just capped in the code for simplicitys sake.
Further, there are provisions for true multiple signature support in the
codebase in rpm >= 4.14.x but the actual support for that hasn't landed
yet. Maybe later this year.
- Panu -
More information about the Rpm-ecosystem