[Rpm-maint] [rpm-software-management/rpm] Check the validity of hash algo (PR #3416)
Panu Matilainen
notifications at github.com
Wed Oct 30 12:10:34 UTC 2024
Oh, right: an unsupported algorithm will be treated equally to non-existent ones, and if it's a signature the package will simply be considered unsigned. And, in the traditional configuration a signature is not required.
Add this to the verify command and it will fail because there's no positive verification of the signature:
`--define "_pkgverify_level signature"`
The unsupported digest behavior is to permit the package to be verified by some other means, and that's even more important going forward as we add support for multiple signatures per package. It's is a dark corner for sure and non-obvious behavior when you first encounter it, but it's something we can't change without breaking other things.
It'll be fixed by #1573.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3416#issuecomment-2446922390
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/3416/c2446922390 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241030/cd1346b1/attachment-0001.html>
More information about the Rpm-maint
mailing list