@DemiMarie commented on this pull request.
> + if (sigalg->setmpi(sigalg, i, p))
+ break;
> The signature type information is there to tell the reader how to hash the
> material for correct results. We ignore the byte _anyhow_ for the package
> hashing purposes because it's just not that intersting for our purposes.
It also provides cryptographic domain separation between different types of
signatures, which prevents a signature of a public key, a certification
signature, or a revocation signature from being accepted as a signature of a
document. That is where the security aspect comes from. In the case of RPM,
this is somewhat mitigated since the data being signed must start with 0x8e,
which means it cannot collide data being signed in any of the other
standardized signature types.
> A better implementation would do things differently in many ways, but
> removing that misplaced semi-random check from 20 years ago is hardly a
> security regression.
See above: in the case of RPM it may not be exploitable, but it could become
exploitable if future changes are made to the OpenPGP standard. Best to add
the check now as a precaution.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1795#discussion_r728970189
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
