[Rpm-maint] [rpm-software-management/rpm] Ignore most unhashed subpackets in OpenPGP signatures (Issue #1886)

Justus Winter notifications at github.com
Mon Jan 17 12:37:23 UTC 2022


>  Therefore, it is only safe to process subpackets that restrict the validity of the signature.

Not quite.  It is only safe to process subpackets that are self-authenticating.  For example, the issuer subpacket is self-authenticating:  It is used as a hint as to which key made the signature.  If that key is found, the signature can be verified with it.  If successful, this authenticates the issuer subpacket.

> I recommend going further and ignoring everything except for primary key binding signatures, key ID subpackets, and fingerprint subpackets.

I'm assuming you mean embedded signature, issuer, and issuer fingerprint subpackets.  That list looks good, yes.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1886#issuecomment-1014475532
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/1886/1014475532 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220117/6f2896a2/attachment.html>


More information about the Rpm-maint mailing list