[Rpm-ecosystem] [PATCH v6 00/11] RPM: include and install file signatures

Mimi Zohar zohar at linux.vnet.ibm.com
Fri Jul 17 12:37:08 UTC 2015


On Fri, 2015-07-17 at 04:04 -0400, Lubos Kardos wrote:
> Maybe it would be nice to have possibility to sign files without signing
> a package. Often different people are responsible for different parts of
> process of creating package. Private keys for signing file and signing package
> are different and maybe a man who will be responsible for signing files won't
> have a access to a private key to sign whole package. But I don't know how
> signing files will be used, if it will be used, just a idea.

Perhaps different people (processes) will be signing the files and the
package, but in that case it would be safer for the file signing process
to also sign the package with their own key.  Before re-signing the
package, the existing package signature would be verified.

> Another thing that I thinking about is to have a separate tool for signing
> files and not having signing files in rpmsign. Also writing signatures into
> xattr is in a plugin and not in core rpm. Signing files also brings a new
> dependency on libimaevm into rpmsign. If we had a separate tool for signing
> files then this separate tool could be in a separate package. So If you didn't
> want to sign files then you wouldn't need to install the package with the tool 
> for signing files and you wouldn't need to install libimaevm dependency.

Thank you for your reviews!  We've already started addressing your
comments, including this libimaevm dependency.

Mimi

> But these are just thoughts. Florian, what do you think?




More information about the Rpm-ecosystem mailing list