Been thinking about this on and off. While ideally a signature is something you
can verify without parsing the signed contents first, we'll always need to
parse the signature header no matter what [*]. So I've been pondering something
along the lines of
- collect the tags numbers to be signed into an int32 array in the signature
header
- hash that array, and then the tag intros and the actual data in the order
specified by the array
- ...and sign/verify the result
It's a relatively complicated procedure but AFAICS it would allow signing the
signature header contents in a way that is still verifiable post-install too
(think rpm -V). There are no doubt other ways to sign+verify the signature
header itself (mask select parts with zeros or something), but those wouldn't
work post-install where we no longer have the signature header available as a
whole.
@nwalfield @simo5 @DemiMarie - does that seem totally crazy? :sweat_smile:
Of course now that we support multiple signatures, we need'd to do the same for
the signature-signature too. Ie anytime we add a signature, we'd add one for
the signature header and one for the header, in a similar structure.
[*] ignoring external signatures: it's not a solution, it's just a different
set of problems
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2224#issuecomment-2511087054
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2224/2511087...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
https://lists.rpm.org/mailman/listinfo/rpm-maint
