[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Signing packages on RH73 and RH9 results in other output

From: Jeff Johnson <n3npq nc rr com>
To: rpm-list redhat com
Subject: Re: Signing packages on RH73 and RH9 results in other output
Date: Thu, 28 Aug 2003 20:18:19 -0400

Dag Wieers wrote:

On Wed, 27 Aug 2003, Jeff Johnson wrote:

Dag Wieers wrote:

...

If you then think to be clever (ha!) to build a rpm-4.2-1 for RH73 and --resign them, don't bother as there is no way you can (re)sign them with the same key, let alone remove an existing signature.

Not true, but depends on key and version of rpm used to sign.

Yes, if already signed with same key id, then package will not be resigned. Feature request from Red Hat package signer that I forgot about.

Well, it was rpm-4.0.4-7x.18.i386.rpm (RH73) and rpm-4.2-0.69 (RH9).

This is what I needed. Signing with rpm-4.0.5 (if only the older header+payload signature is desired) is recommended.

rpm-4.0.4 did not discard head-only signatures produced by rpm-4.1 and later well, because they weren't implemented yet.

This can lead to the head scratcher: a) sign with rpm-4.1 or later, producing both header-only and header+payload signatures. b) resign with rpm-4.0.4 using different key, replacing header+payload signature.

Note that there are then 2 signatures, different keys, confusion ensues, depends on which version of rpm used to verify.

rpm-4.0.5 erases any header-only signatures that might be present from rpm-4.1 or later.

I encourage you to use rpm-4.1 or later for all package signing.

Is that consistent with what you saw?

73 de Jeff

References:
- Re: Signing packages on RH73 and RH9 results in other output
  - From: Dag Wieers <dag@wieers.com>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] []