Closed #183.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/183#event-1017880476___
Rpm-maint mailing list
Rpm-maint@lists.rpm
We've had that for almost three years now so don't bother.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/183#issuecomment-289661326__
The signature header contains (optional) information to verify package
integrity.
So new tags are added when packages are signed, and a new signature header is
created and inserted into a *.rpm package file.
However, the insertion forces a rewrite of the metadata header and payload,
which for
RPM package files can include public keys in the metadata header.
So in principle, a package can include the public key used to sign a package
and verify the package signature when reading package headers. The
RPMTAG_PUBKEYS array is also within the signed immutable region and cannot be
altered
Legacy compatibility well understood: not the first time tags were added
out-of-order.
Meanwhile ...
You might want to consider checking whether tags are sorted as a side effect of
calling hdrblobVerifyInfo() by comparing tagno's while traversing a region and
skipping headerSort if/when tags a
