This fixes how RPM handles packages that contain a header signature, but neither header+payload signature nor payload digests. Such packages are obviously not properly signed, but RPM previously accepted them.
This could be used to confuse both ‘rpmkeys -K’ and DNF. Both would report that the package has been properly signed even when it has not. The included regression tests demonstrates the change in behavior. You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/1672 -- Commit Summary -- * Header signatures alone are not sufficient -- File Changes -- M lib/rpmvs.c (14) M tests/Makefile.am (1) A tests/data/RPMS/hello-2.0-1.x86_64-corrupted.rpm (0) M tests/rpmsigdig.at (40) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/1672.patch https://github.com/rpm-software-management/rpm/pull/1672.diff -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1672
_______________________________________________ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
