Unsure if this is possible with RPM,
but if there was a way to add hashes calculated from the headers as data in he
signed payload without the need to further modify said headers, then you could
make this backwards compatible in the sense that older version of RPM would
still check the classic signature without issue as the data is all there, while
new versions of RPM would have to calculate the hashes of said headers after
the signature is verified and ensure those hashes match what was stored in the
payload.
It is not the best way to go as it may let implementations forget to check the
hashes after the signature checking but it is an option to consider if it is
simpler.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2224#issuecomment-2514815299
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2224/2514815...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
https://lists.rpm.org/mailman/listinfo/rpm-maint
