@Conan-Kudo the simplest policy is that signatures must all verify (why would you put multiple of them otherwise?).
The tricky part is how to handle signatures you do not understand, and I think the simplest policy, again, is to ignore those. Note, I am not saying you should ignore signatures for which you do not have a public key, only signatures you do not have code for. For sig where you do not have a key you need to get a key, just like for the one-sig case. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2460302647 You are receiving this because you are subscribed to this thread. Message ID: <rpm-software-management/rpm/issues/3385/[email protected]>
_______________________________________________ Rpm-maint mailing list [email protected] http://lists.rpm.org/mailman/listinfo/rpm-maint
