[Rpm-maint] [rpm-software-management/rpm] Multisig: Invalid signatures cause (possibly) wrong verification result (Issue #3872)
Michal Domonkos
notifications at github.com
Tue Jul 29 12:08:16 UTC 2025
dmnks created an issue (rpm-software-management/rpm#3872)
Early testing of the multi-signature feature (done by @Jakuje and the team) has revealed some possible issues/bugs related the *overall* verification result when one or more signature is faulty, namely:
1. Corrupted signatures (inverted byte in the middle of the signature area) currently do **not** cause the whole verification to fail if there is another signature that is OK
2. Signatures done by algorithm forbidden in crypto-policies currently **do** cause the whole verification to fail, even if there is another signature that is OK
It seems like these two cases should actually result in the exact opposites, i.e. the former (a corrupt signature) should result in a negative verification whereas the latter (a forbidden or disabled algo) should result in a positive one.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3872
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3872 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20250729/faf1b207/attachment.htm>
More information about the Rpm-maint
mailing list