[Rpm-maint] [rpm-software-management/rpm] Add support for multiple signature verification (Issue #4089)

[Panu Matilainen]

pmatilai left a comment (rpm-software-management/rpm#4089)

Looking at this some more, I don't really know what the expection here is.

librepo is using the same exact low-level nuts and bolts as rpm itself, and it's entirely possible to implement the desired logic on top of those. That's what we did for rpm package verification in #4020 and #4069, but that's closely tied to the *package* verification - rpm has little use for anything else - and there are all manner of crazy strings attached to that logic. Whereas the librepo interface appears to be around generic data.

The gpg expired signatures thing is not really relevant here, expiry is one thing but multiple signatures is going to require a whole different approach in librepo internal API as well. To support multiple signatures with gpgme, you're going to need to implement the logic inside librepo anyway.

Technically, I suppose rpm could implement a generic multi-signature verification on the rpmkeyring level, but to make use of that would require a full rewrite of gpg_rpm.c to use the keyring API instead of the low-level bits and the internal API enhancements of librepo (for multiple signatures) and then you'd still  need to implement it separately for gpg_gpgme.c.

The *policy* for the desired semantics is a separate topic really.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/4089#issuecomment-3776772665
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/4089/3776772665 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20260121/1bb9e3f5/attachment.htm>