[Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)

Simo Sorce notifications at github.com
Thu Oct 17 19:06:24 UTC 2024


Your example assumes the user will not be able to ensure a specific signature is in the rpm, but @pmatilai in his list added explicitly the ability for rpm -qi to list signatures, so the user can verify that a signature that purports to be from a vendor exists, and you can verify the signature via he usual methods.

Teh reproducible stuff is about being able to reproduce the payload, and that is unchanged, as the signature is applied after an rpm is built and is not part of the payload. So you can definitely reproduce the build and check that the signature on the original rpm does in fact still validate (if the payload is identical).

On the embedding we will simply disagree.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2420325399
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/3385/2420325399 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241017/d7a00be2/attachment.html>


More information about the Rpm-maint mailing list