<p><a href="https://github.com/jcpunk" class="user-mention">@jcpunk</a> ECM == Electronic Content Management signatures?</p>
<p>Integrating RPM (actually GPG) signatures with ECM is a much more complex issue than whether multipole signatures are permitted into *.rpm package files.</p>
<p>Treating a *.rpm file as static content with an appended ECM signature is entirely feasible. The GPG signature used by RPM is then just part of the content verified by the ECM signature.</p>
<p>This is no different than appending a signature to a *.rpm file. Of course the resulting file is then no longer readable by rpm itself until the appended signature (and whatever other format changes are performed) is reverted.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/rpm-software-management/rpm/issues/189#issuecomment-337646442">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ANb809s_K_pNqLJLlC8DtJ3d6OkcTkRYks5stiU5gaJpZM4MzQ-w">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/ANb801P8cLVO0lv9xSldrWrBQlLZfroVks5stiU5gaJpZM4MzQ-w.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
  <link itemprop="url" href="https://github.com/rpm-software-management/rpm/issues/189#issuecomment-337646442"></link>
  <meta itemprop="name" content="View Issue"></meta>
</div>
<meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/rpm-software-management/rpm","title":"rpm-software-management/rpm","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/rpm-software-management/rpm"}},"updates":{"snippets":[{"icon":"PERSON","message":"@n3npq in #189: @jcpunk ECM == Electronic Content Management signatures?\r\n\r\nIntegrating RPM (actually GPG) signatures with ECM is a much more complex issue than whether multipole signatures are permitted into *.rpm package files.\r\n\r\nTreating a *.rpm file as static content with an appended ECM signature is entirely feasible. The GPG signature used by RPM is then just part of the content verified by the ECM signature.\r\n\r\nThis is no different than appending a signature to a *.rpm file. Of course the resulting file is then no longer readable by rpm itself until the appended signature (and whatever other format changes are performed) is reverted."}],"action":{"name":"View Issue","url":"https://github.com/rpm-software-management/rpm/issues/189#issuecomment-337646442"}}}</script>