[Rpm-maint] [rpm-software-management/rpm] Exempt src.rpm packages from file signature business (PR #3470)
Panu Matilainen
notifications at github.com
Tue Nov 26 13:40:31 UTC 2024
@pmatilai commented on this pull request.
> -
- if (flags & RPMSIGN_FLAG_FSVERITY) {
- if (includeVeritySignatures(fd, &sigh, &h))
- goto exit;
+ /* Add file signatures (if requested and not a source rpm) */
+ if (!headerIsSource(h)) {
+ if (flags & RPMSIGN_FLAG_IMA) {
+ if (includeFileSignatures(&sigh, &h))
+ goto exit;
+ }
+ if (flags & RPMSIGN_FLAG_FSVERITY) {
+ if (includeVeritySignatures(fd, &sigh, &h))
+ goto exit;
+ }
+ } else if (flags & (RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY)) {
+ rpmlog(RPMLOG_WARNING,
Pondering about the warning/error behavior still. It seems one might want to do a single --addsign on all the packages from a build for example, which could combine a mixture of binary and source packages. And for that the right thing would actually be just to silently ignore the file signature request for src.rpms :thinking:
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3470#discussion_r1858563569
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/3470/review/2461574483 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241126/2cdaba07/attachment-0001.htm>
More information about the Rpm-maint
mailing list