Re: [Rpm-maint] [rpm-software-management/rpm] Add support for multiple, named OpenPGP signatures per package (#1050)
Okay no further comments / feedback, back to the drawing board for now. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1050#issuecomment-676041391___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Add support for multiple, named OpenPGP signatures per package (#1050)
Closed #1050. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1050#event-3669947490___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Add support for multiple, named OpenPGP signatures per package (#1050)
Oh and to be clear, this is little more than a draft at this point and ideas + suggestions are very welcome. I originally did this in spring of 2017 but got side-tracked with 4.14 release and RHEL 8 and whatnot, and the work very nearly got lost forever (it would have, if it wasn't for @ffesti's email archive) so figured I'll just post this here for comments to have a safer place than my laptop... -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1050#issuecomment-582415295___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Add support for multiple, named OpenPGP signatures per package (#1050)
It could be multiple groups or whatever, but certainly not about new algorithms. It's kinda intentionally loosely defined to the point of being undefined to allow creative use. The "name" part was called "role" in earlier versions, which might give different ideas about its usage, but decided against it because it might mix badly with some other, more defined concepts of roles and signatures. For example, one could use it to "stamp" different stages of production pipeline, eg "build", "qe", "ship", or organizations could do similar things internally, eg stamped authorized for use in departments org.foo.X and org.foo.Y, or different distro versions, or ... I don't know :smile: The naming is both a clue to the user/usage, and allows (but doesn't require) using the same key for different purposes. Ultimately you'd want some configurable signature policy thingie but that's beyond the initial scope. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1050#issuecomment-582413106___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Add support for multiple, named OpenPGP signatures per package (#1050)
What's the purpose of the 'name' part? Is this about supporting signatures from multiple groups? Or is this about supporting new pubkey algorithms (e.g. ed22519)? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1050#issuecomment-582403237___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Add support for multiple, named OpenPGP signatures per package (#1050)
This pull request **introduces 1 alert** when merging cb14ea4623079300c9fffb748a0f63518e64c1b5 into d937b04fb1cb5d3ca303bd458169c352a4b52669 - [view on LGTM.com](https://lgtm.com/projects/g/rpm-software-management/rpm/rev/pr-23e1bbee5a8ca504ba89111edb6f53d91798e1d8) **new alerts:** * 1 for Local variable hides global variable -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1050#issuecomment-582394688___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] Add support for multiple, named OpenPGP signatures per package (#1050)
Add support for multiple, named signatures per package. Named signatures are stored as a name:base64 encoded string array in RPMTAG_OPENPGPHEADER, name is an arbitrary \0-terminated string and is part of the signed data (appended after actual package data). These are always header-only signatures, and can co-exist with traditional signatures: if no name is specified when signing then the new signature replaces any old traditional signature the package may have. If name is specified then the signature is merely appended to RPMTAG_OPENPGPHEADER. Use: rpmsign --addsign --name=name package Not implemented yet: - name sanity checks (limit to alphanumeric and punctuation?) - named signatures are not checked for duplicates when signing - theres no way to delete just one named signature - ... Misc notes: We could trivially support signatures without names too in the same tag, but the question then becomes what to do with traditional signatures when name isnt specified - only putting named signatures into the new tag makes that simple(r). People will still need those legacy signatures for some time due to older versions not supporting the new. You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/1050 -- Commit Summary -- * Add support for multiple, named OpenPGP signatures per package -- File Changes -- M lib/package.c (1) M lib/rpmtag.h (2) M lib/rpmvs.c (53) M lib/rpmvs.h (1) M rpmsign.c (6) M sign/rpmgensig.c (79) M sign/rpmsign.h (1) M tests/rpmgeneral.at (1) M tests/rpmsigdig.at (38) M tests/rpmvfylevel.at (1) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/1050.patch https://github.com/rpm-software-management/rpm/pull/1050.diff -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1050 ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint