Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add support for multiple OpenPGP signatures per package (Issue #3385)

Tue, 05 Nov 2024 01:53:32 -0800 

One thing the description doesn't currently cover is the verbose level 
verification messages, in particular the enforcing mode where it spews out 
everything it looked at. For example with an unsigned package in enforcing 
mode, you'd get something like (the last two non-prefixed items stand for 
legacy Header+payload signatures):

```
/data/RPMS/hello-2.0-1.x86_64:
    Header RSA signature: NOTFOUND
    Header DSA signature: NOTFOUND
    Header SHA256 digest: OK
    Payload SHA256 digest: OK
    RSA signature: NOTFOUND
    DSA signature: NOTFOUND
```

I think we need to lump all the OpenPGP signatures under one label per range to 
make any sense out of this, ie:
```
/data/RPMS/hello-2.0-1.x86_64:
    Header OpenPGP signature: NOTFOUND
    Header SHA256 digest: OK
    Payload SHA256 digest: OK
    Header+payload OpenPGP signature: NOTFOUND
```

I'm tempted to add "Legacy" in front of the last item because 
that's what it is, and multiple signatures wont be supported for those. 
It's a dying breed already in v4, and I'm tempted to drop support for 
creating them at all in 6.0. We'll need to verify them to properly support 
v4 but we probably shouldn't even look for them in v6 packages. rpmsign 
will not create those entries for v6 packages anyhow, but it seems these days 
rpmsign is the last tool anybody uses for signing...

A possible sample output from a package with multiple signatures:
```
/tmp/hello-2.0-1.x86_64.rpm:
    Header OpenPGP V4 ECDSA/SHA512 signature, key fingerprint: 
e8a62c0512b06b5d2183ba207f1c21f95f65bbe8: OK
    Header OpenPGP V4 RSA/SHA512 signature, key ID 4344591e1964c5fc: NOKEY
    Header OpenPGP V4 EdDSA/SHA512 signature, key fingerprint: 
152bb32fd9ca982797e835cfb0645aec757bf69e: OK
    Header SHA256 digest: OK
    Payload SHA256 digest: OK
```

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2456718840
You are receiving this because you are subscribed to this thread.

Message ID: 
<rpm-software-management/rpm/issues/3385/[email protected]>

_______________________________________________
Rpm-maint mailing list
[email protected]
http://lists.rpm.org/mailman/listinfo/rpm-maint

Reply via email to