On Mar 10, 2015, at 2:15 AM, srinivasan j v wrote:
> hello all
> I'm supposed to you use X509 format for signing .
> I'm trying to sign the CPIO archive of a rpm . I need to package this signature inside the RPM. I can't add this part of CPIO archive as the generated signature varies from the signature of newly formed CPIO archive .
The easiest way to do this is with a detached (or concatenated) X509 signature outside of RPM.
> I Tried adding the signature to the Signature tags in the Spec file (for testing purpose) but it did not work , Do i need to use any arbitary tag for this ?
Note that signing the CPIO payload has never been done by rpm, and that the
header+payload signing/verification was deprecated in 2007 and is not generated
by current RPM5, and that X509 format has never been supported by RPM.
Much more than a Signature: tag is needed.
> Is there any way that i keep these signatures as part of RPM but not as part of its CPIO archive ?
You can attempt rewriting the *.rpm and adding whatever you wish as additional tag content
in the signature header.
I'd again suggest that signing the entire *.rpm package, including the cpio payload, and prepending
the signature to the *.rpm, and then writing the verification and public key retrieval tool as the best
way to achieve your goal of "X509 format for signing".
73 de Jeff
> thanks in advance
Received on Tue Mar 10 17:48:37 2015