<p>This came up in <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="497876446" data-permission-text="Issue title is private" data-url="https://github.com/rpm-software-management/rpm/issues/861" data-hovercard-type="issue" data-hovercard-url="/rpm-software-management/rpm/issues/861/hovercard" href="https://github.com/rpm-software-management/rpm/issues/861">#861</a>, but deserves a topic of its own, and also needs to be laid out where people can see it:</p>
<p>The so-called "v3" header+payload digests and signatures in rpm have been on their slower-than-sloth way out ever since header-only digests/signatures were added in rpm v4 around the turn of the millenium, but without them there hasn't been any means to verify the payload without unpacking it, and so they've lingered on.</p>
<p>rpm 4.14 added a separate digest on the compressed payload. Unlike the v3 elements, the payload digest is stored in the immutable main header instead of signature header, so it's guarded by header-only digests/signatures making modification non-trivial and with signed packages, impossible. So there's now the means to perform strong verification of both the header and the payload independently of each other.</p>
<p>This means we can finally start phasing out the v3 digests and signatures for real. For one, it means that signing could technically be done without looking at the payload at all, making it much faster. It would also help the deltarpm case as discussed in <a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="497876446" data-permission-text="Issue title is private" data-url="https://github.com/rpm-software-management/rpm/issues/861" data-hovercard-type="issue" data-hovercard-url="/rpm-software-management/rpm/issues/861/hovercard" href="https://github.com/rpm-software-management/rpm/issues/861">#861</a>. I'd like to say "simpler code" too, but rpm probably needs to carry support for the v3 stuff for another decade more for compatibility reasons, so that's not right around the corner. We have to start someplace though, and I think that something should be changing rpmsign only create header-only signatures by default, and add a cli-switch to enable them for those who need it.</p>
<p>I'm sure I'm forgetting half a dozen things from my braindump, but it's a start at least.<br>
Thoughts?</p>
<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/rpm-software-management/rpm/issues/863?email_source=notifications&email_token=ADLPZU5P2KZKYYJ3ZIWDUNDQLNAY3A5CNFSM4I2LIBW2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HNSEDAQ">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ADLPZU4TGA7EB4VTGESZNGTQLNAY3ANCNFSM4I2LIBWQ">mute the thread</a>.<img src="https://github.com/notifications/beacon/ADLPZU3R3V4KVH5OS4RZ5STQLNAY3A5CNFSM4I2LIBW2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HNSEDAQ.gif" height="1" width="1" alt="" /></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/rpm-software-management/rpm/issues/863?email_source=notifications\u0026email_token=ADLPZU5P2KZKYYJ3ZIWDUNDQLNAY3A5CNFSM4I2LIBW2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HNSEDAQ",
"url": "https://github.com/rpm-software-management/rpm/issues/863?email_source=notifications\u0026email_token=ADLPZU5P2KZKYYJ3ZIWDUNDQLNAY3A5CNFSM4I2LIBW2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HNSEDAQ",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>