[Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)

Jan Zerebecki notifications at github.com
Thu Oct 17 17:15:34 UTC 2024


@simo5 Example: user wants to check that 3 signatures all do verify. How do they get them? If they download the rpm from signer No 1, then that one can withhold the signature from signer No 2. If its a detached signature, that problem doesn't exist. Or do you have a solution to this?

The signature changes the rpm, so the rpm is not bit wise identical making it non-reproducible, see https://reproducible-builds.org/ for the finer details.

You need to usually move around multiple files anyway, as Linux distributions are made from many small packages. Handling multiple files is easy with wildcards like *rpm. Detached signatures do not change that. Anyway users mostly do not use rpm directly on rpm files, but things like dnf.

Embedded signatures are an anti-patern. They should never be used because they make distinguishing between signed content and signature more difficult. They increase the complexity for verification, making complete security failure likely to happen. See e.g. vulnerability reports about Android apk signature verification.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2420082641
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/3385/2420082641 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241017/a7ab4c4b/attachment.html>


More information about the Rpm-maint mailing list