[Rpm-maint] [rpm-software-management/rpm] RPMv6 proposal: treat IMA and fsverity signatures as part of the package (Issue #2200)
Demi Marie Obenour
notifications at github.com
Wed Sep 21 13:34:31 UTC 2022
In RPMv4, IMA and fsverity signatures are not considered part of the package, but of the signature. Therefore, they are included in the signature header (not the main header), which leads to various problems and increases attack surface. For RPMv6, I propose that they be considered part of the package itself, and so included in the main header. Adding IMA and fsverity signatures to a package would thus create a new package.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2200
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2200 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220921/52c341ea/attachment.html>
More information about the Rpm-maint
mailing list