[Rpm-maint] [rpm-software-management/rpm] multiple signatures support? (#189)
Jan Zerebecki
notifications at github.com
Mon Mar 28 20:15:48 UTC 2022
Note that it is also useful to be able to verifying an installed rpms content against the signature, without having to download the rpm.
> Detached signatures can be verified without the involvement of RPM.
It would only work if there is no embedded signature and there is no other data removed or added for the signature. It might be a long time until distributions are willing to leave the embedded signature out. Until then, to be able to make use of multiple signatures one would need to involve rpm to verify them.
Supporting multiple detached signatures makes checking an rpm for being an reproducible build much easier. The additional signatures come from somewhere else at a later time. Only supporting embedded signatures would mean needing to rewrite the rpm after the download. Or using two entirely different ways to verify an rpm.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/189#issuecomment-1081095824
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/189/1081095824 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220328/b5211b01/attachment.html>
More information about the Rpm-maint
mailing list