[Rpm-maint] [rpm-software-management/rpm] rpm --import does not replace old keys with new keys (Issue #2577)

Neal H. Walfield notifications at github.com
Sat Jul 22 09:54:04 UTC 2023


> @nwalfield, merging certificates sounds like a relatively hard problem to solve in general.

Can you explain what you are thinking or worried about here?  The implementation to merge certificates in Sequoia [starts here](https://gitlab.com/sequoia-pgp/sequoia/-/blob/9e48a064/openpgp/src/cert.rs#L2592).  We basically turn the two certificates into arrays of packets, and merge the two arrays.  Then we [canonicalize](https://gitlab.com/sequoia-pgp/sequoia/-/blob/9e48a064/openpgp/src/cert.rs#L1519-2090) the result, which reorders and dedups the packets.  I admit it is a few lines of code, but I think it is a stretch to say that it is a hard problem.

> Can you think of any use cases where this would cause a problem?

Yes.  If the new certificate is missing some components that the existing version has, signatures that could once be verified may no longer be verifiable.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2577#issuecomment-1646546531
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/2577/1646546531 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230722/ab18dd41/attachment-0001.html>


More information about the Rpm-maint mailing list