[Rpm-ecosystem] Two signatures?

Panu Matilainen pmatilai at redhat.com
Thu May 31 14:02:16 UTC 2018

On 05/31/2018 04:40 PM, Miroslav Suchý wrote:
> In past, there was possible to add two or more signatures to rpm package. At least according to
>    http://ftp.rpm.org/max-rpm/s1-rpm-pgp-signing-packages.html
> But when I checked current rpmsign, it seems that --addsign actually replace the previous signature.
> Is this correct? Or is there way to have two signatures on one package?

Short version:
As of all rpm versions in the last 15+ years, --addsign/--resign do the 
same thing which is replace any existing signature, so no, you cannot 
pile them on.

Longer version:
Technically it's more complicated than that - there are always two 
different signatures (one on the header and one on header + payload) but 
always by same signer and algorithm for both. And technically, the 
header could store more signatures, in particular DSA and RSA 
simultaneously, it's just capped in the code for simplicitys sake. 
Further, there are provisions for true multiple signature support in the 
codebase in rpm >= 4.14.x but the actual support for that hasn't landed 
yet. Maybe later this year.

	- Panu -

More information about the Rpm-ecosystem mailing list