> @Conan-Kudo the simplest policy is that signatures must all verify (why would you put multiple of them otherwise?). >
Multiple signatures aren't necessarily for users installing to process, so it would make sense to ignore them in that case. For example, the signatures may be used to indicate something passed through certain stages. You may have a policy to validate them all, but it may not actually be a required policy. Some signatures may only be for some systems to validate but not others. I can think of a variety of reasons for it. But regardless, I think it does make sense to have some way to indicate a primary/key signature to validate. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3385#issuecomment-2460508781 You are receiving this because you are subscribed to this thread. Message ID: <rpm-software-management/rpm/issues/3385/[email protected]>
_______________________________________________ Rpm-maint mailing list [email protected] http://lists.rpm.org/mailman/listinfo/rpm-maint
