In RPMv4, IMA and fsverity signatures are not considered part of the package,
but of the signature. Therefore, they are included in the signature header
(not the main header), which leads to various problems and increases attack
surface. For RPMv6, I propose that they be considered part of the package
itself, and so included in the main header. Adding IMA and fsverity signatures
to a package would thus create a new package.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2200
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
