It would be useful. When an [OpenPGP upstream
signature](https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification)
is not available and one wants to have the checksum verification, it needs to
be performed manually in the `%prep` section (similarly to the things
Sure, but in that case it should not look for PAYLOADDIGESTALT at all.
Otherwise you'd just be comparing it against a value that it will not match
most of the time.
--
Reply to this email directly or view it on GitHub:
@dralley RPM does not decompress the payload when verifying signatures and
digests. That would massively increase its attack surface. Therefore, failing
to verify `PAYLOADDIGESTALT` is expected.
--
Reply to this email directly or view it on GitHub:
@DemiMarie @pmatilai
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2486#issuecomment-1510417707
You are receiving this because you are subscribed to this thread.
Message ID: ___
Rpm-maint
To reproduce:
specfile
```
Name: rpm-test
Version:0
License:LGPL
Release:0
Summary:""
#BuildRequires:
%description
%build
cat > hello-world.sh <
ba21f4cb197179798065399a1551af2727e41efe56daed73ce869549b1280dd0
8
There are two components to this
1) `rpm -v --checksig` (also without -v) seems to exclude any digests which
fail to verify so long as an equivalent one does verify. This seems to apply
even when using `--define "_pkgverify_level all"`.
2) `rpm` appears to fail to verify PAYLOADDIGESTALT in
