[Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)
Panu Matilainen
notifications at github.com
Thu Oct 17 06:26:01 UTC 2024
Initially requested in #189 and one possible implementation drafted in #1050, but lacking direction and motivation at the time. The topic rose again as in the context of Post Quantum signatures in #3363 - something rpm would rather not know anything about. #1050 added labels to each signature but this is apparently a goofy idea (I think I stole it from Debian at the time), and back then rpm v3 header+payload signatures complicated the backwards compatibility store quite a bit, which is where I ran out of steam in the face of lack of general interest. The discussion in #3363 provided us with a nice clear path ahead now, with multiple benefits, so much so that it'd be stupid not to do this now:
- support for multiple signatures has generic benefits and use-cases
- puts a further layer of insulation between rpm and crypto, something we have been actively driving for a couple of years now
- adds provisions for PQC without us getting directly involved in it
- lines up nicely with the rpm v6 theme and timing
- most of it is already implemented
What the implementation will do
- add a string array RPMTAG_OPENPGP tag and RPMSIGTAG_OPENPGP alias
- RPMTAG_OPENPGP may contain one or more OpenPGP signatures base64-encoded (the header doesn't support binary arrays)
- rpmsign --addsign appends a new signature to the RPMTAG_OPENPGP tag
- rpmsign --delsign deletes all signatures from the package
- backwards compatibility is handled as follows:
- when signing v4 packages, the first added RSA/DSA/EcDSA signature is additionally stored in binary format to RPMTAG_RSAHEADER/RPMTAG_DSAHEADER as appropriate
- v6 packages get only RPMTAG_OPENPGP signatures, unless --rpmv4 switch (added by the PR) is used - this allows rpm v4 to verify such packages
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3385
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3385 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241016/10c93fcf/attachment.html>
More information about the Rpm-maint
mailing list