[Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)

Simo Sorce notifications at github.com
Thu Oct 17 13:12:00 UTC 2024


Sounds reasonable that --resign will drop all signatures and add new ones.
I think the only potentially missing case here is the desire to drop only a specific signature.

The reason to do that is if you have a package with multiple signatures and you want to replace only one that had a signing key compromised while the others did not.

The use case is packages re-distributed by a 3rd party that wants to retain the original signatures and can't recreate them because they have no access to those keys.

I wonder if --resign could be enhanced to be able to specify a signature to replace, in which case it would only replace the specific signature and not drop them all ?

This is really a corner case and if it is complicated it can definitely be deferred or even not made available.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2419510209
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/3385/2419510209 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241017/c022ead9/attachment.html>


More information about the Rpm-maint mailing list