Oh, right: an unsupported algorithm will be treated equally to non-existent
ones, and if it's a signature the package will simply be considered unsigned.
And, in the traditional configuration a signature is not required.
Add this to the verify command and it will fail because there's no positive
verification of the signature:
`--define "_pkgverify_level signature"`
The unsupported digest behavior is to permit the package to be verified by some
other means, and that's even more important going forward as we add support for
multiple signatures per package. It's is a dark corner for sure and non-obvious
behavior when you first encounter it, but it's something we can't change
without breaking other things.
It'll be fixed by #1573.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3416#issuecomment-2446922390
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/3416/c2446922...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
