[Rpm-maint] Identifying which files need signatures

Fionnuala Gunter fin at linux.vnet.ibm.com
Fri Jan 16 22:18:05 UTC 2015


Hi,

Missing from the RPM patches that add file signatures is a way for
package maintainers to specify which files need signing. Dmitry
Kasatkin suggested that we enumerate signed files with a spec tag,
similar to how we enumerate files, ie.

%files
%defattr(-,root,root,-)
%{_bindir}/*
%{_libdir}/libimaevm.*
%{_includedir}/*

%sign
%{_bindir}/*

Another option for identifying signed files is with a new file-related
directive, ie.

%files
%defattr(-,root,root,-)
%sign %{_bindir}/*
%{_libdir}/libimaevm.*
%{_includedir}/*

The third option is modifying %verify directive to include signature, ie.

%files
%defattr(-,root,root,-)
%verify(md5 signature size user group) %{_bindir}/*
%{_libdir}/libimaevm.*
%{_includedir}/*


The first option looks straightforward, and mostly entails writing
another parser. However, the files needing signatures would be listed
under both %files and %sign tags. I prefer the second option since
file-related directives are already used to mark special files in the
%files list. The third option might be better if the %verify directive
was updated for other file digest algorithms. Please let me know if any
of these options sound appealing, or if you have other ideas.

Thanks,
Fin



More information about the Rpm-maint mailing list