<p>The advantage of a detached signature is that you don't have to modify something in order to certify it. The disadvantage is that you have to have both parts to validate.</p>
<p>Rpms are often signed with multiple keys over their lifetime. Embedded signatures force us to choose between keeping mostly redundant copies, or forever throwing away the previous signed copy. Koji dodges this by having the ability to rip out an rpm signature header and splice it back in later, effectively detaching the embedded signature.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/rpm-software-management/rpm/issues/189#issuecomment-292628002">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ANb804K80VUjTkS6eoAHv0XqluqQM2cPks5rtovkgaJpZM4MzQ-w">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/ANb806vOmx5f1oDGQ2gkDij1OZ5OVjV9ks5rtovkgaJpZM4MzQ-w.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
  <link itemprop="url" href="https://github.com/rpm-software-management/rpm/issues/189#issuecomment-292628002"></link>
  <meta itemprop="name" content="View Issue"></meta>
</div>
<meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/rpm-software-management/rpm","title":"rpm-software-management/rpm","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/rpm-software-management/rpm"}},"updates":{"snippets":[{"icon":"PERSON","message":"@mikem23 in #189: The advantage of a detached signature is that you don't have to modify something in order to certify it. The disadvantage is that you have to have both parts to validate.\r\n\r\nRpms are often signed with multiple keys over their lifetime. Embedded signatures force us to choose between keeping mostly redundant copies, or forever throwing away the previous signed copy. Koji dodges this by having the ability to rip out an rpm signature header and splice it back in later, effectively detaching the embedded signature."}],"action":{"name":"View Issue","url":"https://github.com/rpm-software-management/rpm/issues/189#issuecomment-292628002"}}}</script>