Initially requested in #189 and one possible implementation drafted in #1050,
but lacking direction and motivation at the time. The topic rose again as in
the context of Post Quantum signatures in #3363 - something rpm would rather
not know anything about. #1050 added labels to each signature but this is
apparently a goofy idea (I think I stole it from Debian at the time), and back
then rpm v3 header+payload signatures complicated the backwards compatibility
store quite a bit, which is where I ran out of steam in the face of lack of
general interest. The discussion in #3363 provided us with a nice clear path
ahead now, with multiple benefits, so much so that it'd be stupid not to do
this now:
- support for multiple signatures has generic benefits and use-cases
- puts a further layer of insulation between rpm and crypto, something we have
been actively driving for a couple of years now
- adds provisions for PQC without us getting directly involved in it
- lines up nicely with the rpm v6 theme and timing
- most of it is already implemented
What the implementation will do
- add a string array RPMTAG_OPENPGP tag and RPMSIGTAG_OPENPGP alias
- RPMTAG_OPENPGP may contain one or more OpenPGP signatures base64-encoded (the
header doesn't support binary arrays)
- rpmsign --addsign appends a new signature to the RPMTAG_OPENPGP tag
- rpmsign --delsign deletes all signatures from the package
- backwards compatibility is handled as follows:
- when signing v4 packages, the first added RSA/DSA/EcDSA signature is
additionally stored in binary format to RPMTAG_RSAHEADER/RPMTAG_DSAHEADER as
appropriate
- v6 packages get only RPMTAG_OPENPGP signatures, unless --rpmv4 switch
(added by the PR) is used - this allows rpm v4 to verify such packages
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3385
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/[email protected]>
_______________________________________________
Rpm-maint mailing list
[email protected]
http://lists.rpm.org/mailman/listinfo/rpm-maint
