pmatilai created an issue (rpm-software-management/rpm#3991)
https://github.com/fedora-iot/rpm-head-signing exists to allow signing packages
without having to transmit the entire payload across network in signing
servers, but duplicates a lot of hairy rpm internals to do that.
There's absolutely no reason librpmsign could not support such operation
natively. What is needed to support that is
- allow skipping payload verification before signing (--noverify + API flag)
- see that copyFile() does the right thing if payload is missing
- sanity check against v3 signatures, this can only be done with the
header-only v4 and v6 signatures
- some --head-sign cli switch + related API flag to activate, implying
--noverify from above)
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3991
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/[email protected]>
_______________________________________________
Rpm-maint mailing list
[email protected]
https://lists.rpm.org/mailman/listinfo/rpm-maint
