RPM Community Forums

Mailing List Message of <rpm-devel>

Independent transport of *.rpm signatures

From: Jeff Johnson <n3npq@mac.com>
Date: Sun 28 Sep 2008 - 19:52:28 CEST
Message-id: <F3D4B282-4564-488A-9222-94EAC454EFA4@mac.com>
Idle chit-chat on #rpm irc led me to realize that lots and lots
of bandwidth is being wasted when *.rpm packages are signed.

The fundamental conceptual issue is that

     Does signing *.rpm plaintext constitute a change in content?

If your criteria for "change" is looking at, say, a digest of a *.rpm  
the answer is always YES! content has changed.

However, if you look at any old plaintext, creating a detached signature
changes nothing whatsoever in the plaintext. So, with exactly the same
criteria for "change", looking at a digest of the plaintext, the  
answer is most
definitely NO!

The confusion comes because a *.rpm file carries __BOTH__ the detached
signature and the plaintext in the same file.

But there's literally no reason why detached signatures cannot be  
transported __WITHOUT
DOWNLOADING__  the plaintext Yet Again, and, if the signature  
verifies, well, the signature
can be appended to headers saved in an rpmdb __WITHOUT REINSTALLING__.


73 de Jeff
Received on Sun Sep 28 19:52:33 2008
Driven by Jeff Johnson and the RPM project team.
Hosted by OpenPKG and Ralf S. Engelschall.
Powered by FreeBSD and OpenPKG.