[Rpm-maint] Dual signing with rpm

Jeff Johnson n3npq at me.com
Thu Mar 29 01:12:42 UTC 2018



> On Mar 28, 2018, at 8:00 PM, Burhan Wani (burwani) <burwani at cisco.com> wrote:
> 
> Hello,
> I wanted to know why dual signing feature was removed from rpm 4.2 onwards. Is there a security risk to using rpm dual signing ? What would be the best way to implement dual signing in rpm.
>  

rpm has never supported "dual signing" if you mean signing with 2 different keys.
While there were ways to sign twice, with different algorithms, which ended up
in different tags, only one of those signatures was ever verified.

It doesn't make much sense to have multiple signatures, you are better off using a longer key or hash.

What exactly is "dual signing" to you?

73 de Jeff
>  
> Regards,
> Burhan Wani 
>  
> _______________________________________________
> Rpm-maint mailing list
> Rpm-maint at lists.rpm.org
> http://lists.rpm.org/mailman/listinfo/rpm-maint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20180328/fcbc50d1/attachment.html>


More information about the Rpm-maint mailing list