[Rpm-maint] [rpm-software-management/rpm] Add new signature headers for Post Quantum Signatures (Issue #3363)

Panu Matilainen notifications at github.com
Wed Oct 16 06:10:02 UTC 2024


Exactly.

And the more I think about this, the more stupid it all seems now. Rpm is not *in the slightest* interested in what algorithm is used in an OpenPGP signature. The problem with #1050 was basically lack of direction and motivation, but it's time to take another look at that because we have a clear direction now: get the heck out of OpenPGP business. If the named multisignature support was there, we wouldn't necessarily be even discussing this now, PQC-OpenPGP would be just another OpenPGP signature that somebody chose to slap on their packages, rpm would not really need to know.

To summarize the named multisignature stuff from 1050:
- add a new string array tag called RPMTAG_OPENPGP
- the signatures are stored in something like `<label>:<base64sig>` format, with the label being a part of the signature data
- label is an arbitrary string describing the signature in whatever means makes sense to you: you can put the algorithm in there (RSA/EcDSA...), you can put a role in there (devel/qe/distro), email, organization (AcmeCorp IT) etc - whatever

What was missing was:
- selectively deleting signatures
- interoperability with the traditional signatures
- applying a signature policy based on the labels

With the exception of the policy stuff, it should be pretty easy to revive that effort.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3363#issuecomment-2415815365
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/3363/2415815365 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241015/dd02afd6/attachment.html>


More information about the Rpm-maint mailing list