[Rpm-maint] [rpm-software-management/rpm] Rip out partial support for unused MD2 and RIPEMD160 digests (ff4b911)

Jeff Johnson notifications at github.com
Tue Jun 26 17:38:43 UTC 2018


Good riddance: Ptooey!

There is one last improvement that might be attempted.

RPM invokes gpg to sign plaintext blobs from packaging.

Because of the handoff to a gpg helper, it is possible for a signature to be undertaken on a digest (like MD2/RIPEMD etc) that the rpm internal gpg signature verification  does not implement.

RPM will of course fail to verify a signature on an unimplemented digest algorithm. The problem that remains is that the error happens too late to be usefully informative.

The better implementation in rpm would be to check for supported/implemented digests when the signature is returned from the gpg helper in order to provide immediately useful error messages to the package signer.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/commit/ff4b9111aeba01dd025dd133ce617fb80f7398a0#commitcomment-29504410
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20180626/8ce3e7b7/attachment.html>


More information about the Rpm-maint mailing list