© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Re
> If this is the case, then rpm should pass --force-v3-sigs to gpg when using
> --addsign.
The gpg signing invocation used by rpm is entirely configurable with macros:
%__gpg_sign_cmd %{__gpg} \
gpg --batch --no-verbose --no-armor --passphrase-fd 3 --no-secmem-warning \
-u "%{_gpg_name}" -sbo %{__signature_
Feel free to do whatever you wish. I supplied the hysterical details re V3 RSA signatures
for reference purposes.
Note that however this #436812 featlet/bugture is resolved, most rpm implementations
in "production" do not correctly handle RSA V4 signatures.
(aside)
You'ld think a package signer would verify that, indeed, a package verifies after signing
rpm -Kvv *.rpm
rather than just releasing, wouldn't ya?
Personally I'd rather see the RPM crypto implementation "Just Work" rather than limit
the functionality to V3 signatures only. But that also means that rpm verification will need
every algorithm that might ever be used by gpg when signing, including
MD2/tiger192 hashes and ECDSA and odd-ball variants of DSA with q={224,256} bits > 1024 and
(likely soon) RSA/MD6 or whatever is chosen from the SHA-3 competition.