[Rpm-maint] [rpm-software-management/rpm] Add suport for multiple signature verification (Issue #4089)
Panu Matilainen
notifications at github.com
Thu Jan 15 08:56:05 UTC 2026
pmatilai left a comment (rpm-software-management/rpm#4089)
> This way we could come to a conclusion that the current RPM policy is wrong and RPM should be changed to require at least one, valid and trusted signature.
[...]
> For the simplicity I recommend RPM to change the policy from all-signatures to at-least-one signature. (There is already a policy for no-signature-needed.) If RPM wants to preserve the policy for all-signatures, then it can retain it, but a practical use case is not clear to me.
This behavior has already been implemented upstream for packages as a part of #4020 and #4069 and will be part of RPM 6.1. Distro backports are tracked elsewhere. But, librepo uses the lowest-level crypto APIs and wont benefit from that work, I'm afraid you'll have to implement your own logic around that as per your use-case.
And yes ideally there would be some fancy configurable policies around it, but that's unlikely to happen anytime soon. We've basically spent a year on keys and signatures, and we need to get back to package management.
There's certainly a demand for a sane(r) verification API and ticket to track it: #2041, and handling multiple signatures is another piece to add to the neverending list of requirements there.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/4089#issuecomment-3753625380
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/4089/3753625380 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20260115/a1636022/attachment.htm>
More information about the Rpm-maint
mailing list