[Rpm-maint] [rpm-software-management/rpm] multiple signatures support? (#189)

Jeff Johnson notifications at github.com
Mon Apr 10 03:08:52 UTC 2017

There is nothing stopping other applications from using detached signatures on *.rpm files as necessary. RPM cannot carry one (or multiple) signatures within signed plaintext.

In principle a different ping-pong like signing could be attempted to ensure that both signature/metadata headers are signed with different pairs of keys, with the pubkey(s) that signed the signature header in the metadata header and vice versa, but lets not go there please)

The core issue here seems to be hardlinking *.rpm files between different distributions, where the packages are identical except for the signature using different keys, and therefor hard linking is impossible.

Having multiple signatures only solves one part of the puzzle: making the *.rpm content static so that files can be hard linked by including multiple signatures.

The signing as well as the verification becomes far more complex because of the key management involved associating multiple keys and signatures where needed, particularly if RPM needs a policy file to specify which signature needs to be verified.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20170409/0daaaf65/attachment-0001.html>

More information about the Rpm-maint mailing list