pmatilai created an issue (rpm-software-management/rpm#3996)
In the current logic, a disabled signature will show up as NOTTRUSTED in the
verification result. This doesn't seem wrong when there's just one signature
per package, but with multiple signatures, you'll want to be able to disable
some at will if they become compromised, while still be able to verify the
package using the other signatures present.
So this means that in the main signature checking loop, NOTTRUSTED shouldn't be
counted as either success or failure. They should be reported in verbose mode
for diagnosis though, I suppose.
Fixing this will inevitably run into #1057 as well, so we should be prepared to
address that finally as well.
Flagging this as a bug instead of RFE because the multiple signature
verification is not functioning as originally intended.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3996
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/[email protected]>
_______________________________________________
Rpm-maint mailing list
[email protected]
https://lists.rpm.org/mailman/listinfo/rpm-maint
