We'll need to accommodate v4 signatures in v6 packages for compatibility. So
the hashing would need to selectively skip over all the OpenPGP signature items
in the header, including legacy ones, and since it needs to do it tag by tag
anyhow, doing something else (copying and whatnot) for the what comes after is
just an extra complication with little benefit.
We'll also need to accommodate for future expansion too: we need to preserve
the ability to add some other signature types later (be it v7 or whatever)
without breaking the scheme. So there's another reason we can't just hash
whatever comes after. This is basically why my initial idea includes a that
int32 type array that contains all the tags the verifier needs to hash. The
alternative is to just hardcode a list of tags that this version of rpm will
hash, and ignore whatever else may be there.
Also, just as a reality check: what we can actually do in the time left before
6.0 alpha is very limited at point, so whether any of this happens in time for
that, I don't know. But this is a useful discussion to have because there's
always the next version...
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2224#issuecomment-2516524027
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2224/2516524...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
https://lists.rpm.org/mailman/listinfo/rpm-maint
