Re: [Rpm-maint] [rpm-software-management/rpm] RFE: sign the signature header contents too (Issue #2224)

Panu Matilainen Mon, 02 Dec 2024 22:35:15 -0800

Hmm, concatenate as in just slop one at the end of another? Like:

```
  717cf2bbc006701d1993be3de4687ed8687d3124
+ 20fef0b9bc5bc8236e757dfb42d5cf16f13ce75a
= 
717cf2bbc006701d1993be3de4687ed8687d312420fef0b9bc5bc8236e757dfb42d5cf16f13ce75a
```


The relevant signature data is copied to the end of the the main header, and so 
we can recalculate the per-tag hashes from there (just need to ignore the 
offset of the tag when calculating the hash). And since the main header can be 
hashed as-is... we should be able to verify the signature post-install too. 

So that should indeed avoid the need for maintaining a second set of 
signatures. OTOH this is a lot more complicated to calculate (and implement, 
including 3rd party signing-servers which there seem to be around every corner 
nowadays) than the traditional signatures, which we'll still need to support 
for compatibility anyway. 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2224#issuecomment-2513663759
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/2224/2513663...@github.com>

_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
https://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: sign the signature header contents too (Issue #2224)

Reply via email to