You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently Rekor uses version v0.0.0-20200122174316-8cb9fd9c31a8 of go-rpm. Neither this or newer version of this RPM library supports newer signature tags like RSAHEADER or DSAHEADERrpm docs.
This can be problematic as after rpm 4.14 the default behavior is to not populate the older signature tags (header+payload signature vs header only signature)rpmsign.
Since Rekor is already using an older version, I'm not opposed to forking the package and adding support for the new signature tags. I've already tried it locally and was able to log and verify RSAHEADER/DSAHEADER only RPMs.
Wanted to hear some opinions if that would be a viable strategy or not.
Thanks!
The text was updated successfully, but these errors were encountered:
Description
Currently Rekor uses version
v0.0.0-20200122174316-8cb9fd9c31a8
ofgo-rpm
. Neither this or newer version of this RPM library supports newer signature tags likeRSAHEADER
orDSAHEADER
rpm docs.This can be problematic as after rpm 4.14 the default behavior is to not populate the older signature tags (header+payload signature vs header only signature)rpmsign.
Since Rekor is already using an older version, I'm not opposed to forking the package and adding support for the new signature tags. I've already tried it locally and was able to log and verify RSAHEADER/DSAHEADER only RPMs.
Wanted to hear some opinions if that would be a viable strategy or not.
Thanks!
The text was updated successfully, but these errors were encountered: