On Mar 10, 2015, at 2:15 AM, srinivasan j v wrote:

> hello all
> 
> I'm supposed to you use X509 format for signing .
> 
> I'm trying to sign the  CPIO archive of a rpm  . I need to package this signature inside the RPM. I can't add this part of CPIO archive as the generated signature varies from the signature of newly formed CPIO archive .
> 

The easiest way to do this is with a detached (or concatenated) X509 signature outside of RPM.

>  I Tried adding the signature to the Signature tags in the Spec file (for testing purpose) but it did not work , Do i need to use any arbitary tag for this ?
> 

Note that signing the CPIO payload has never been done by rpm, and that the
header+payload signing/verification was deprecated in 2007 and is not generated
by current RPM5, and that X509 format has never been supported by RPM.

Much more than a Signature: tag is needed.

> Is there any way that i keep these signatures as part of RPM but not as part of its CPIO archive  ?
> 

You can attempt rewriting the *.rpm and adding whatever you wish as additional tag content
in the signature header.

I'd again suggest that signing the entire *.rpm package, including the cpio payload, and prepending
the signature to the *.rpm, and then writing the verification and public key retrieval tool as the best
way to achieve your goal of "X509 format for signing".

73 de Jeff
> thanks in advance
> 
> regards
> srinivasan