[Rpm-maint] [rpm-software-management/rpm] Add suport for multiple signature verification (Issue #4089)
Fellipe Henrique
notifications at github.com
Wed Jan 14 18:52:57 UTC 2026
fhbash created an issue (rpm-software-management/rpm#4089)
The current RPM library API used by librepo's RPM backend lacks proper support for handling multiple signatures on packages, specifically for implementing the logic where "at least one valid signature should allow package acceptance while all invalid/expired signatures should cause rejection."
Background:
This issue is related to https://github.com/rpm-software-management/librepo/issues/207 . The RPM backend has this ticket for task [RHEL-112394](https://issues.redhat.com/browse/RHEL-112394), and it's on Planning, as soon this is done and merged, we can move forward with this implementation on librepo.
The gpgme backend task was done by this https://github.com/rpm-software-management/librepo/pull/354
Current Problem:
Latest RPM backend is missing api to deal with multiple sign/key
Impact:
Without these RPM API enhancements, librepo cannot implement proper multiple signature verification logic that aligns with crypto-policy requirements defined in RHEL-112394.
Dependencies:
Related to: [RHEL-112394](https://issues.redhat.com/browse/RHEL-112394)
Component: rpm, librepo
Related DNF issue: https://github.com/rpm-software-management/dnf5/issues/2354
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/4089
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/4089 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20260114/f2f0c9c5/attachment.htm>
More information about the Rpm-maint
mailing list