[Rpm-maint] [rpm-software-management/rpm] RPM fsverity support (#1203)

Panu Matilainen notifications at github.com
Thu May 28 08:02:10 UTC 2020


@pmatilai commented on this pull request.



> +    }
+
+    rpmlog(RPMLOG_DEBUG, _("key: %s\n"), key);
+    rpmlog(RPMLOG_DEBUG, _("cert: %s\n"), cert);
+
+    compr = headerGetString(h, RPMTAG_PAYLOADCOMPRESSOR);
+    rpmio_flags = rstrscat(NULL, "r.", compr ? compr : "gzip", NULL);
+
+    gzdi = Fdopen(fdDup(Fileno(fd)), rpmio_flags);
+    free(rpmio_flags);
+    if (!gzdi)
+	rpmlog(RPMLOG_DEBUG, _("Fdopen() failed\n"));
+
+    files = rpmfilesNew(NULL, h, RPMTAG_BASENAMES, RPMFI_FLAGS_QUERY);
+    fi = rpmfiNewArchiveReader(gzdi, files,
+			       RPMFI_ITER_READ_ARCHIVE_OMIT_HARDLINKS);

Right, silly me. I plead ignorance and amnesia on what little I know about the Merkle tree stuff... but now that you remind me, it makes me think there's quite a bit of mutual interest here.

There are multiple places in rpm that would benefit from gradually verifiable content, starting with the file digests themselves. If rpm stored the Merkle hashes for the files at build time, I suppose you could then just sign those? And when available, rpm could use those instead of the traditional digests for its verify operation for quicker identification of modified content.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1203#discussion_r431652462
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20200528/79941280/attachment-0001.html>


More information about the Rpm-maint mailing list