[Rpm-maint] [rpm-software-management/rpm] Add new signature headers for Post Quantum Signatures (Issue #3363)

Panu Matilainen notifications at github.com
Tue Oct 15 05:59:51 UTC 2024


> Well it depends at what level you are asking.
I can give you openssl commands that use oqs-provider and will let you generate keys and apply raw signatures.
But I assume you want to see a PGP command line app that will generate a PQ signature instead?

OpenPGP command line yes, but while waiting for that to materialize I play the cat that curiosity killed and poke at openssl created raw signatures instead. Not for applying in rpm, but just to make this whole PQ affair somehow more tangible. Seeing is believing etc.

As for the rpm part: the verification machinery in rpm does support multiple signatures per package as-is, I added it as a pre-requisite for #1050 back in 2018 or so, but the part that actually creates multiple signatures in rpm was never merged, so it's been unused and could've bitrotted. The foundation is there though.

The existing RSAHEADER/DSAHEADER signatures are treated as if only one can exist, but that's just convention rather than a technical limitation. So assuming Sequoia can do OpenPGP PQS, we can add a new tag for that and add it alongside an existing RSA/DSA signature instead of replacing it. And then on package read, stash it up for verification, and voi'la, the rest is up to rpm-sequoia. Rpm only knows "verify everything" policy currently, but what makes up "everything" can be configured with the various verification macros. And with that, I think we have a rudimentary PCS support in rpm.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3363#issuecomment-2412962189
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/3363/2412962189 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241014/72a18832/attachment.html>


More information about the Rpm-maint mailing list