[Rpm-maint] [rpm-software-management/rpm] Provide a decent API for verifying package signatures (Issue #2041)
Panu Matilainen
notifications at github.com
Fri Mar 31 09:48:40 UTC 2023
Okay, back to our scheduled program :laughing:
With the work to add better error reporting in #2453, it suddenly looks more appetizing to improve the upper APIs too. Right now the API is basically "here's the keyring, see if something fits". Which is sufficient for rpm's own current use, but eg dnf wants to track keys per repo, which we don't handle at all.
So it seems the lowest level public verification API should take a key instead of a keyring, and for that the keyring needs to provide an API to look up keys. We had one but it was just recently axed because it was so bad otherwise... So currently that's kinda backwards: the API that only rpm needs is public, and the ones that others need are private :facepalm:
Then on top of that, we need that package siganture verification, which also needs to take just a key, take at least vsflags for controlling operation and have error message return pointer. I need to take a closer look at https://gitlab.com/dkg/openpgp-stateless-cli/-/issues/32...
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2041#issuecomment-1491649190
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2041/1491649190 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230331/abbc9f9e/attachment.html>
More information about the Rpm-maint
mailing list