[Rpm-maint] [rpm-software-management/rpm] Rip out partial support for unused MD2 and RIPEMD160 digests (ff4b911)
Jeff Johnson
notifications at github.com
Wed Jun 27 16:57:00 UTC 2018
Presumably the "basic parameters" validation you are referring to is makeSigTag() in sign/rpmgensig.c where the returned signature is parsed and values are sanity checked.
That check will not prevent a signature using, say, MD2 from being added to a package.
The hash (and signing) algorithms which are "supported" by rpm need to also be checked so that the signer, not the consumer, of a package can be notified that an unverifiable (by rpm) signature has just been generated by the gpg helper.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/commit/ff4b9111aeba01dd025dd133ce617fb80f7398a0#commitcomment-29518382
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20180627/461bb251/attachment.html>
More information about the Rpm-maint
mailing list