[Rpm-maint] [rpm-software-management/rpm] Check signatures in the code (#240)

Jeff Johnson notifications at github.com
Thu Jun 22 12:09:15 UTC 2017

Signatures are stored in a tag in a package header. So one retrieves a tag from a header, and then parses out the keyid from the OpenPGP format.

The harder issue is that there are up to 4 (or perhaps more) possible tags where signatures might be stored, and that even if a signature with a keyid may not (or cannot in the case of header+payload signatures) be verified.

You can find the 4 tags that may have to be examined by looking at the --queryformat string used by rpm --info (which displays the keyid) stored in /usr/lib/rpm. Doing a --queryformat is likely the most efficient extraction of a keyid when writing scripts, through bindings, or even  writing C code.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20170622/da114192/attachment.html>

More information about the Rpm-maint mailing list