Re: [Rpm-maint] [rpm-software-management/rpm] RFE: sign the signature header contents too (Issue #2224)

Demi Marie Obenour Mon, 02 Dec 2024 22:04:40 -0800

> Also what I'm talking about here would be a second signature alongside each 
> "normal" signature we add. It needs to be separate because we need to be able 
> to verify the main header independently for post-install signature 
> verification, that doesn't change with V6 at all. What we can do in the V6 
> space is actually quite limited because of compatibility requirements.


This can be avoided by not actually signing the main header.  Instead, hash the 
main header,  hash the data from the signature header, and concatenate the 
hashes.  Then sign the concatenated hashes.  The concatenated hashes can be 
stored in the rpmdb for use by verification.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2224#issuecomment-2513637689
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/2224/2513637...@github.com>

_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
https://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: sign the signature header contents too (Issue #2224)

Reply via email to