`headerImport()` is a public API function, it's up to the caller what sort of
verification is needed in a given situation. Within rpm, it depends on
configuration and API switches and whatnot.
Anyway, rpm can't just stop parsing the things it does now, so I'm going to
close this.
--
You are
Closed #1468.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1468#event-4238745640___
Rpm-maint mailing list
Would be wonderful if things were that simple.
But there's no such thing as "the signature", there are multiple digests and
signatures ranging over various parts of the package, mostly contained in the
signature header (so you need to parse an unprotected header anyhow) but the
payload digests
Currently, `rpm -K` parses the header as well as the signature. If it only
parsed the signature, the attack surface would be much smaller, as a far
simpler parser could be used.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on