[Rpm-maint] [rpm-software-management/rpm] rpmsign can copy an OpenPGP v6 signature into legacy tags (Issue #3851)
Panu Matilainen
notifications at github.com
Wed Jul 2 07:11:55 UTC 2025
pmatilai created an issue (rpm-software-management/rpm#3851)
When using --rpmv6 on v4 packages (or --rpmv4 on v6 packages) using a OpenPGP v6 key of a v4 compatible algorithm (RSA/ECDSA/EDDSA), rpmsign will make a compatibility copy the signature into one of RPMSIGTAG_DSA or RPMSIGTAG_RSA but rpm 4.x can NOT verify such a signature.
Commit ad114b0174c26fa101ce9bbf82930b2c2e421a09 was a related fix, but just looking at the algorithm is not enough, we need to also check the signature version and only make a compatibility signature copy if the signature version is 3 or 4 *and* using a compatible algorithm.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3851
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3851 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20250702/3a90bbff/attachment.htm>
More information about the Rpm-maint
mailing list