As part of our sha-256 efforts, we're trying to sign rpms with a sha-2
digest. I'm attempting to sign packages with a RSA key that is size
4096, the biggest possible. However I'm running into problems importing
this into koji, due to my local signing software haven stolen come code
from koji to determine what the sigkey is. The koji code makes an
assumption about where the key ID exists in the signature header, and it
seems this assumption is wrong when larger keys are used.
Mitr who has been helping me says that for a quick hack, when getting
the key chunk out of the hex, we can assume that sigkey[13:17] works if
sigkey is 0x88, but if 0 is 0x89, we have to go to 14:18.
This comes up a few times in koji code, so I thought some discussion was
in order before setting off to make a patch.
Is there anything better we can do instead of snaking raw data out of
Fedora -- Freedom² is a feature!