Phasing out header+payload digests and signatures #863
Comments
|
The open build service project uses the pkgid (aka hdr+payload md5) as package identifier. |
|
There's also the well-known |
|
Right, md5 is still used for various other things too (I think koji uses it too for similar id purposes) because it's the only thing that absolutely universally is there, and probably will need to remain for a long time still. Dropping the signatures is the more interesting and beneficial case though - md5 can be recalculated anytime, but not so with signatures (thinking about the compressed/uncompressed payload case) |
pmatilai
added a commit
to pmatilai/rpm
that referenced
this issue
Mar 2, 2020
On packages where a separate payload digest exists (ie those built with rpm >= 4.14), rpm v3 header+payload signatures are nothing but expensive legacy baggage, as the payload digest will be signed by a header-only signature already, without having to recalculate the entire file. Automatically detect the payload digest presence and only add V3 signatures on packages that need it, but also add an override switch to force their addition if needed for compatibility or so. Fixes: rpm-software-management#863
pmatilai
added a commit
to pmatilai/rpm
that referenced
this issue
Mar 10, 2020
On packages where a separate payload digest exists (ie those built with rpm >= 4.14), rpm v3 header+payload signatures are nothing but expensive legacy baggage, as the payload digest will be signed by a header-only signature already, without having to recalculate the entire file. Automatically detect the payload digest presence and only add V3 signatures on packages that need it, but also add an override switch to force their addition if needed for compatibility or so. A particular use-case would be ability to signature-level verify the entire package on rpm older than 4.14. Fixes: rpm-software-management#863
pmatilai
added a commit
that referenced
this issue
Mar 10, 2020
On packages where a separate payload digest exists (ie those built with rpm >= 4.14), rpm v3 header+payload signatures are nothing but expensive legacy baggage, as the payload digest will be signed by a header-only signature already, without having to recalculate the entire file. Automatically detect the payload digest presence and only add V3 signatures on packages that need it, but also add an override switch to force their addition if needed for compatibility or so. A particular use-case would be ability to signature-level verify the entire package on rpm older than 4.14. Fixes: #863
ifel
pushed a commit
to ifel/rpm
that referenced
this issue
Jul 16, 2020
On packages where a separate payload digest exists (ie those built with rpm >= 4.14), rpm v3 header+payload signatures are nothing but expensive legacy baggage, as the payload digest will be signed by a header-only signature already, without having to recalculate the entire file. Automatically detect the payload digest presence and only add V3 signatures on packages that need it, but also add an override switch to force their addition if needed for compatibility or so. A particular use-case would be ability to signature-level verify the entire package on rpm older than 4.14. Fixes: rpm-software-management#863
ifel
pushed a commit
to ifel/rpm
that referenced
this issue
Jul 16, 2020
On packages where a separate payload digest exists (ie those built with rpm >= 4.14), rpm v3 header+payload signatures are nothing but expensive legacy baggage, as the payload digest will be signed by a header-only signature already, without having to recalculate the entire file. Automatically detect the payload digest presence and only add V3 signatures on packages that need it, but also add an override switch to force their addition if needed for compatibility or so. A particular use-case would be ability to signature-level verify the entire package on rpm older than 4.14. Fixes: rpm-software-management#863
chmeliik
added a commit
to chmeliik/atomic-reactor
that referenced
this issue
Aug 26, 2021
CLOUDBLD-7002 There are 4 RPM tags that can contain signatures [1]. Two of them are calculated from the header+payload - SIGPGP and SIGGPG. The other two are calculated only from the header - DSAHEADER and RSAHEADER. Header signatures were added in rpm v4 and the header+payload ones have slowly been getting phased out since then [2]. The default rpm behavior is now to include only the header signature [3]. What this means for OSBS is simply that we need to start looking at the header signatures as well, where previously we would only consider the header+payload ones. [1]: https://rpm-software-management.github.io/rpm/manual/tags.html [2]: rpm-software-management/rpm#863 [3]: rpm-software-management/rpm@b1aeafe Signed-off-by: Adam Cmiel <[email protected]>
2 tasks
chmeliik
added a commit
to chmeliik/atomic-reactor
that referenced
this issue
Aug 26, 2021
CLOUDBLD-7002 There are 4 RPM tags that can contain signatures [1]. Two of them are calculated from the header+payload - SIGPGP and SIGGPG. The other two are calculated only from the header - DSAHEADER and RSAHEADER. Header signatures were added in rpm v4 and the header+payload ones have slowly been getting phased out since then [2]. The default rpm behavior is now to include only the header signature [3]. What this means for OSBS is simply that we need to start looking at the header signatures as well, where previously we would only consider the header+payload ones. [1]: https://rpm-software-management.github.io/rpm/manual/tags.html [2]: rpm-software-management/rpm#863 [3]: rpm-software-management/rpm@b1aeafe Signed-off-by: Adam Cmiel <[email protected]>
MartinBasti
pushed a commit
to containerbuildsystem/atomic-reactor
that referenced
this issue
Aug 27, 2021
CLOUDBLD-7002 There are 4 RPM tags that can contain signatures [1]. Two of them are calculated from the header+payload - SIGPGP and SIGGPG. The other two are calculated only from the header - DSAHEADER and RSAHEADER. Header signatures were added in rpm v4 and the header+payload ones have slowly been getting phased out since then [2]. The default rpm behavior is now to include only the header signature [3]. What this means for OSBS is simply that we need to start looking at the header signatures as well, where previously we would only consider the header+payload ones. [1]: https://rpm-software-management.github.io/rpm/manual/tags.html [2]: rpm-software-management/rpm#863 [3]: rpm-software-management/rpm@b1aeafe Signed-off-by: Adam Cmiel <[email protected]>
MartinBasti
pushed a commit
to MartinBasti/atomic-reactor
that referenced
this issue
Aug 27, 2021
CLOUDBLD-7002 There are 4 RPM tags that can contain signatures [1]. Two of them are calculated from the header+payload - SIGPGP and SIGGPG. The other two are calculated only from the header - DSAHEADER and RSAHEADER. Header signatures were added in rpm v4 and the header+payload ones have slowly been getting phased out since then [2]. The default rpm behavior is now to include only the header signature [3]. What this means for OSBS is simply that we need to start looking at the header signatures as well, where previously we would only consider the header+payload ones. [1]: https://rpm-software-management.github.io/rpm/manual/tags.html [2]: rpm-software-management/rpm#863 [3]: rpm-software-management/rpm@b1aeafe Signed-off-by: Adam Cmiel <[email protected]>
6 tasks
MartinBasti
pushed a commit
to containerbuildsystem/atomic-reactor
that referenced
this issue
Aug 27, 2021
CLOUDBLD-7002 There are 4 RPM tags that can contain signatures [1]. Two of them are calculated from the header+payload - SIGPGP and SIGGPG. The other two are calculated only from the header - DSAHEADER and RSAHEADER. Header signatures were added in rpm v4 and the header+payload ones have slowly been getting phased out since then [2]. The default rpm behavior is now to include only the header signature [3]. What this means for OSBS is simply that we need to start looking at the header signatures as well, where previously we would only consider the header+payload ones. [1]: https://rpm-software-management.github.io/rpm/manual/tags.html [2]: rpm-software-management/rpm#863 [3]: rpm-software-management/rpm@b1aeafe Signed-off-by: Adam Cmiel <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This came up in #861, but deserves a topic of its own, and also needs to be laid out where people can see it:
The so-called "v3" header+payload digests and signatures in rpm have been on their slower-than-sloth way out ever since header-only digests/signatures were added in rpm v4 around the turn of the millenium, but without them there hasn't been any means to verify the payload without unpacking it, and so they've lingered on.
rpm 4.14 added a separate digest on the compressed payload. Unlike the v3 elements, the payload digest is stored in the immutable main header instead of signature header, so it's guarded by header-only digests/signatures making modification non-trivial and with signed packages, impossible. So there's now the means to perform strong verification of both the header and the payload independently of each other.
This means we can finally start phasing out the v3 digests and signatures for real. For one, it means that signing could technically be done without looking at the payload at all, making it much faster. It would also help the deltarpm case as discussed in #861. I'd like to say "simpler code" too, but rpm probably needs to carry support for the v3 stuff for another decade more for compatibility reasons, so that's not right around the corner. We have to start someplace though, and I think that something should be changing rpmsign only create header-only signatures by default, and add a cli-switch to enable them for those who need it.
I'm sure I'm forgetting half a dozen things from my braindump, but it's a start at least.
Thoughts?
The text was updated successfully, but these errors were encountered: