RPM: signing uncompressed data instead of signed data?

[John Reiser]

On 11/11/2010 07:17 AM, Andre Robatino wrote:
> in an alternate universe where RPM was originally
> designed to sign the uncompressed data, and the higher-level tools were
> subsequently designed to work with that, is there any fundamental reason
> why things would be worse (or better) than they are now?

The bytes that are signed would be "farther away" from the contents
of the .rpm file.  The compression would occur in between the signing
and packing the file, so the signing would be less "end-to-end" with
respect to packing the contents into the file.  This changes the
data integrity implications of signature that does not match.
Some uses want more protection against "mere transmission errors" of the file,
other uses want more independence of the various steps in a larger process
(ability to change compression without changing signature, for example.)

--