RPM: signing uncompressed data instead of signed data?

Michael Schroeder mls at suse.de
Thu Nov 11 15:40:13 UTC 2010

On Thu, Nov 11, 2010 at 10:17:57AM -0500, Andre Robatino wrote:
> I realize there's a lot of stuff sitting on top of RPM that depends on
> how it works currently, but in terms of correctness, it still seems to
> me to make more sense to sign the uncompressed data, since that's what
> actually gets used, and it would avoid issues like
> https://fedorahosted.org/rel-eng/ticket/4224 which will have to be dealt
> with periodically as long as compression continues to improve. So let me
> rephrase the question: in an alternate universe where RPM was originally
> designed to sign the uncompressed data, and the higher-level tools were
> subsequently designed to work with that, is there any fundamental reason
> why things would be worse (or better) than they are now?

Securitywise ist would be a bit worse, because the decompression
libraries may contain exploitable bugs, so checking the
signature of a rpm might be already a dangerous operation.

(But most repositories nowadays already contain checksums over
the complete rpm, and most people trust repositories, not
individual rpms.)


Michael Schroeder                                   mls at suse.de
SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg

More information about the devel mailing list