Re: [Rpm-maint] [rpm-software-management/rpm] RFE: Signing packages with signify (#1193)

Demi Marie Obenour Thu, 24 Dec 2020 23:59:50 -0800

IMO, moving from OpenPGP to PKCS#7 would hardly be a victory.  Moving to 
something like Signify would.


Ideally, the signature would be at a fixed offset and of a fixed length, so 
there is no need to parse the file before checking the signature.  That 
eliminates an enormous class of vulnerabilities.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1193#issuecomment-751163148

_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: Signing packages with signify (#1193)

Reply via email to