[Rpm-maint] [rpm-software-management/rpm] Add support for multiple signatures per package, aka v6 signatures (PR #3439)

Florian Festi notifications at github.com
Tue Nov 19 14:40:55 UTC 2024


I guess this is twofold: First we assume they are the same when there really is no reason an attacker would do so. So we can end up with different signatures depending on the rpm version being used.

Then there's this "the newer rpm could check this but we leave that to the older version that has less of a chance to figure things out". Not sure if this really is realistic this "use rpm V6 to check signatures and then hand the packages down to an older rpm version". Otoh there is this post quantum talk. As soon as we do have policies requiring specific signatures may be there is a way to sneak in weak signatures this way.

May be this is just fine for now and we need to look at this later on when we get into policy based verification.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3439#issuecomment-2485903311
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/3439/c2485903311 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241119/32e7fe13/attachment.htm>


More information about the Rpm-maint mailing list