[Rpm-maint] [rpm-software-management/rpm] rpmsign --delsign / --addsign regression can corrupt packages in rpm >= 4.18.1 (Issue #3469)
Panu Matilainen
notifications at github.com
Wed Nov 27 07:18:32 UTC 2024
The root cause is RH signing server placing file signatures outside the immutable region of the signature header, which breaks a whole bunch of assumptions the rpm code makes about this. Hysterically this only ever worked because we relaxed the signature header sanity checks for compatibility with rpm5 in commit 34c2ba3c6a80a778cdf2e42a9193b3264e08e1b3 :facepalm:
And since we allow that, we'll have to work around it in the signing code. There are other related bugs in that code too, mind.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3469#issuecomment-2503093854
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3469/2503093854 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241126/8e359065/attachment-0001.htm>
More information about the Rpm-maint
mailing list