[Rpm-maint] [rpm-software-management/rpm] Require creation time to be unique and hashed (PR #1912)
Justus Winter
notifications at github.com
Tue Feb 15 10:39:21 UTC 2022
@teythoon commented on this pull request.
> impl = *p;
- if (!(_digp->saved & PGPDIG_SAVED_TIME) &&
- (sigtype == PGPSIGTYPE_POSITIVE_CERT || sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT || sigtype == PGPSIGTYPE_STANDALONE))
So you care about positive certifications, binary and text signatures, and standalone signatures? That list seems dubious:
- First, there are more certifications that can be used by implementations as binding (self) signatures. Note the "most" in Section [5.2.1 of RFC4880](https://datatracker.ietf.org/doc/html/rfc4880#section-5.2.1):
> Most OpenPGP implementations make their "key signatures" as 0x10
> certifications. Some implementations can issue 0x11-0x13
> certifications, but few differentiate between the types.
- I doubt that you care about standalone signatures. Those are like binary signatures over a zero-length documents. If RPM cares, I'd be curious what the use case is.
- You should really care about subkey binding signatures. How else would you know that a subkey is eligible to make signatures in the name of the certificate, i.e. whether
- the subkey is bound to a certificate at the time the signature in question is created, and
- the subkey is marked as signing-capable?
This change looks good.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1912#discussion_r806689912
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/1912/review/882787675 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220215/56575241/attachment.html>
More information about the Rpm-maint
mailing list