ddelabru left a comment (rpm-software-management/rpm#3469)
> The root cause is RH signing server placing file signatures outside the
> immutable region of the signature header
The signing server produces raw IMA file signatures. Release engineers then
insert these signatures into the RPM header
ddelabru left a comment (rpm-software-management/rpm#3469)
> I don't remember what exactly the signing server does (does it call rpmsign
> at some point or does it do all on its own) but clearly it gets this right,
> otherwise the normal signatures would have the same problem as well.
The signi
