Require that deltarpms be v3 and signed

rpm-software-management / libdnf

Package management library.

GNU Lesser General Public License v2.1

184 stars 139 forks source link

Require that deltarpms be v3 and signed #1466

Open DemiMarie opened 2 years ago

DemiMarie commented 2 years ago

v3 deltarpms can be signed, and libdnf should verify the signature before passing them to drpm. The payload digest will be wrong, but that is okay since the header+payload signature can still be validated. This means that header+payload signatures will be required for deltarpms.

j-mracek commented 2 years ago

I am really sorry but I do not know what we can do with it or what plans are for deltarpm in future. We believe that verification will be not easy and we would prefer if a library or deltarpm will do it for us.

DemiMarie commented 2 years ago

@j-mracek deltarpm does not have any signature verification functionality. Verification can be handled by librpm itself, as with normal RPMs.