@simo5 Example: user wants to check that 3 signatures all do verify. How do
they get them? If they download the rpm from signer No 1, then that one can
withhold the signature from signer No 2. If its a detached signature, that
problem doesn't exist. Or do you have a solution to this?
The signature changes the rpm, so the rpm is not bit wise identical making it
non-reproducible, see https://reproducible-builds.org/ for the finer details.
You need to usually move around multiple files anyway, as Linux distributions
are made from many small packages. Handling multiple files is easy with
wildcards like *rpm. Detached signatures do not change that. Anyway users
mostly do not use rpm directly on rpm files, but things like dnf.
Embedded signatures are an anti-patern. They should never be used because they
make distinguishing between signed content and signature more difficult. They
increase the complexity for verification, making complete security failure
likely to happen. See e.g. vulnerability reports about Android apk signature
verification.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2420082641
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3385/[email protected]>
_______________________________________________
Rpm-maint mailing list
[email protected]
http://lists.rpm.org/mailman/listinfo/rpm-maint
