[Rpm-maint] [rpm-software-management/rpm] Header signatures alone are not sufficient (#1672)
Demi Marie Obenour
notifications at github.com
Wed May 5 08:58:16 UTC 2021
This fixes how RPM handles packages that contain a header signature, but
neither header+payload signature nor payload digests. Such packages are
obviously not properly signed, but RPM previously accepted them.
This could be used to confuse both ‘rpmkeys -K’ and DNF. Both would
report that the package has been properly signed even when it has not.
The included regression tests demonstrates the change in behavior.
You can view, comment on, or merge this pull request online at:
https://github.com/rpm-software-management/rpm/pull/1672
-- Commit Summary --
* Header signatures alone are not sufficient
-- File Changes --
M lib/rpmvs.c (14)
M tests/Makefile.am (1)
A tests/data/RPMS/hello-2.0-1.x86_64-corrupted.rpm (0)
M tests/rpmsigdig.at (40)
-- Patch Links --
https://github.com/rpm-software-management/rpm/pull/1672.patch
https://github.com/rpm-software-management/rpm/pull/1672.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210505/d7d8fb4f/attachment.html>
More information about the Rpm-maint
mailing list