[Rpm-maint] [rpm-software-management/rpm] Do not parse header when validating signatures (#1468)
Panu Matilainen
notifications at github.com
Tue Jan 5 10:58:46 UTC 2021
Would be wonderful if things were that simple.
But there's no such thing as "the signature", there are multiple digests and signatures ranging over various parts of the package, mostly contained in the signature header (so you need to parse an unprotected header anyhow) but the payload digests are, for security, in the main header.
Rpm does parse of the header intro and a simple text retrieve when signature checking, not because its fun to do but it needs to. The act of actually importing (aka loading) the main header which involves a far more complex set of operations is only done after the signature and digests checks pass.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1468#issuecomment-754564673
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210105/0a53ab20/attachment.html>
More information about the Rpm-maint
mailing list