Sounds reasonable that --resign will drop all signatures and add new ones.
I think the only potentially missing case here is the desire to drop only a
specific signature.
The reason to do that is if you have a package with multiple signatures and you
want to replace only one that had a signing key compromised while the others
did not.
The use case is packages re-distributed by a 3rd party that wants to retain the
original signatures and can't recreate them because they have no access to
those keys.
I wonder if --resign could be enhanced to be able to specify a signature to
replace, in which case it would only replace the specific signature and not
drop them all ?
This is really a corner case and if it is complicated it can definitely be
deferred or even not made available.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2419510209
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3385/[email protected]>
_______________________________________________
Rpm-maint mailing list
[email protected]
http://lists.rpm.org/mailman/listinfo/rpm-maint
