Presumably the "basic parameters" validation you are referring to is
makeSigTag() in sign/rpmgensig.c where the returned signature is parsed and
values are sanity checked.
That check will not prevent a signature using, say, MD2 from being added to a
package.
The hash (and signing) algorithms which are "supported" by rpm need to also be
checked so that the signer, not the consumer, of a package can be notified that
an unverifiable (by rpm) signature has just been generated by the gpg helper.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/commit/ff4b9111aeba01dd025dd133ce617fb80f7398a0#commitcomment-29518382
_______________________________________________
Rpm-maint mailing list
[email protected]
http://lists.rpm.org/mailman/listinfo/rpm-maint
