[Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)

Jan Zerebecki notifications at github.com
Wed Nov 6 18:46:34 UTC 2024


One important point of my suggestion is that the list of keys that are associated with a repo is signed and verifiable with the same list, but is distinct from the keys that are trusted to sign repos. Trusted keys are a superset of keys used in a repo.

This makes verifying parts of a repo more deterministic. If your config verified the repo, the uncompromised rpms will always verify. You do not suddenly get one rpm that has only a new signature that you always skipped on the other rpms because they had also an old one.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2460524389
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/3385/2460524389 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241106/e7586b7e/attachment.html>


More information about the Rpm-maint mailing list