Related discussion of this over here
https://github.com/ostreedev/ostree/pull/2260
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-872509233___
Revocation checking requires a proper keystore, which RPM does not have.
Expiration checking “merely” requires checking the expiration date of the
self-signature.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://git
Note the following text from the gpgv manpage:
```
gpgv2 assumes that all keys in the keyring are trustworthy. That does also
mean that it does not check for expired or revoked keys.
```
So we're in good company ;-)
--
You are receiving this because you are subscribed to this thread.
Reply
There is obviously a book to be written on the topic. But may be we can get
away with a more minimalist approach for now. Still there are a few topics that
we need to at least touch on. Commit messages being one of them. I will try to
come up with something.
--
You are receiving this because y
Thank you for the responses! I understand the problem(s) of this pull request.
I have two questions:
1. Why is the archive size calculated in advance in the first place? Is this
some kind of sanity check or is it required somewhere?
2. Would it be possible, in case the size check fails, to give
All OpenPGP signatures of packages are type 0 (binary), but RPM does not check
this. RPM should check this as a defense-in-depth measure.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-manag
According to [RFC 4880 §5.2.3]:
> There are two fields consisting of Signature subpackets. The first
> field is hashed with the rest of the signature data, while the second
> is unhashed. The second set of subpackets is not cryptographically
> protected by the signature and should include only a
> Can you please provide the command you used to build and may be even the
> error message you got?
I used a complex custom shell script; I will try to reproduce without it.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
h
Can you please provide the command you used to build and may be even the error
message you got?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1732#issuecomment-872020447_