There is nothing stopping other applications from using detached signatures on
*.rpm files as necessary. RPM cannot carry one (or multiple) signatures within
signed plaintext.
(aside)
In principle a different ping-pong like signing could be attempted to ensure
that both signature/metadata headers are signed with different pairs of keys,
with the pubkey(s) that signed the signature header in the metadata header and
vice versa, but lets not go there please)
The core issue here seems to be hardlinking *.rpm files between different
distributions, where the packages are identical except for the signature using
different keys, and therefor hard linking is impossible.
Having multiple signatures only solves one part of the puzzle: making the *.rpm
content static so that files can be hard linked by including multiple
signatures.
The signing as well as the verification becomes far more complex because of the
key management involved associating multiple keys and signatures where needed,
particularly if RPM needs a policy file to specify which signature needs to be
verified.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/189#issuecomment-292839459
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
