[Rpm-maint] [rpm-software-management/rpm] Ignore legacy signature tags in v6 packages (PR #3933)

Panu Matilainen notifications at github.com
Wed Sep 10 11:06:50 UTC 2025 

Signature tags in the >= 1000 range have no place in v6 packages, but there's nothing we can do to prevent old rpm versions and 3rd party signing tooling putting them there. We could error out, but this seems draconian when we try so hard to be compatible otherwise. So use a little heuristic on what looks like a v6 package or newer and just ignore those old tags on such packages.

There are two parts to this: one on the verification side, and another on the package retrofits side. Would be nice to avoid the duplication but that's for another day.

Update the v3 sig test expectation accordingly, and the one earlier test  where it was looking for a MD5 digest. #3803 is closely related as well, but this is more about the conflicting tag range >= 1000 in general than package format, although there is a correlation to v3 packages.

Fixes: #3852

You can view, comment on, or merge this pull request online at:

  https://github.com/rpm-software-management/rpm/pull/3933

-- Commit Summary --

  * Add test-cases for v3 signatures in v6 packages
  * Refactor header blob entry finding to a helper function
  * Add hdrblobIsEntry() for testing tag presence from hdrblob level
  * Ignore legacy signature tags in v6 packages

-- File Changes --

    M lib/header.cc (34)
    M lib/header_internal.hh (3)
    M lib/package.cc (8)
    M lib/rpmvs.cc (11)
    A tests/data/RPMS/hlinktest-1.0-1.noarch-v3sig.rpm (0)
    M tests/rpmsigdig.at (28)
    M tests/rpmvfylevel.at (1)

-- Patch Links --

https://github.com/rpm-software-management/rpm/pull/3933.patch
https://github.com/rpm-software-management/rpm/pull/3933.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3933
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/3933 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20250910/94079ba8/attachment.htm>

More information about the Rpm-maint mailing list