-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Phasing out header+payload digests and signatures #863
Comments
The open build service project uses the pkgid (aka hdr+payload md5) as package identifier. |
There's also the well-known |
Right, md5 is still used for various other things too (I think koji uses it too for similar id purposes) because it's the only thing that absolutely universally is there, and probably will need to remain for a long time still. Dropping the signatures is the more interesting and beneficial case though - md5 can be recalculated anytime, but not so with signatures (thinking about the compressed/uncompressed payload case) |
On packages where a separate payload digest exists (ie those built with rpm >= 4.14), rpm v3 header+payload signatures are nothing but expensive legacy baggage, as the payload digest will be signed by a header-only signature already, without having to recalculate the entire file. Automatically detect the payload digest presence and only add V3 signatures on packages that need it, but also add an override switch to force their addition if needed for compatibility or so. Fixes: rpm-software-management#863
On packages where a separate payload digest exists (ie those built with rpm >= 4.14), rpm v3 header+payload signatures are nothing but expensive legacy baggage, as the payload digest will be signed by a header-only signature already, without having to recalculate the entire file. Automatically detect the payload digest presence and only add V3 signatures on packages that need it, but also add an override switch to force their addition if needed for compatibility or so. A particular use-case would be ability to signature-level verify the entire package on rpm older than 4.14. Fixes: rpm-software-management#863
On packages where a separate payload digest exists (ie those built with rpm >= 4.14), rpm v3 header+payload signatures are nothing but expensive legacy baggage, as the payload digest will be signed by a header-only signature already, without having to recalculate the entire file. Automatically detect the payload digest presence and only add V3 signatures on packages that need it, but also add an override switch to force their addition if needed for compatibility or so. A particular use-case would be ability to signature-level verify the entire package on rpm older than 4.14. Fixes: #863
On packages where a separate payload digest exists (ie those built with rpm >= 4.14), rpm v3 header+payload signatures are nothing but expensive legacy baggage, as the payload digest will be signed by a header-only signature already, without having to recalculate the entire file. Automatically detect the payload digest presence and only add V3 signatures on packages that need it, but also add an override switch to force their addition if needed for compatibility or so. A particular use-case would be ability to signature-level verify the entire package on rpm older than 4.14. Fixes: rpm-software-management#863
On packages where a separate payload digest exists (ie those built with rpm >= 4.14), rpm v3 header+payload signatures are nothing but expensive legacy baggage, as the payload digest will be signed by a header-only signature already, without having to recalculate the entire file. Automatically detect the payload digest presence and only add V3 signatures on packages that need it, but also add an override switch to force their addition if needed for compatibility or so. A particular use-case would be ability to signature-level verify the entire package on rpm older than 4.14. Fixes: rpm-software-management#863
CLOUDBLD-7002 There are 4 RPM tags that can contain signatures [1]. Two of them are calculated from the header+payload - SIGPGP and SIGGPG. The other two are calculated only from the header - DSAHEADER and RSAHEADER. Header signatures were added in rpm v4 and the header+payload ones have slowly been getting phased out since then [2]. The default rpm behavior is now to include only the header signature [3]. What this means for OSBS is simply that we need to start looking at the header signatures as well, where previously we would only consider the header+payload ones. [1]: https://rpm-software-management.github.io/rpm/manual/tags.html [2]: rpm-software-management/rpm#863 [3]: rpm-software-management/rpm@b1aeafe Signed-off-by: Adam Cmiel <[email protected]>
CLOUDBLD-7002 There are 4 RPM tags that can contain signatures [1]. Two of them are calculated from the header+payload - SIGPGP and SIGGPG. The other two are calculated only from the header - DSAHEADER and RSAHEADER. Header signatures were added in rpm v4 and the header+payload ones have slowly been getting phased out since then [2]. The default rpm behavior is now to include only the header signature [3]. What this means for OSBS is simply that we need to start looking at the header signatures as well, where previously we would only consider the header+payload ones. [1]: https://rpm-software-management.github.io/rpm/manual/tags.html [2]: rpm-software-management/rpm#863 [3]: rpm-software-management/rpm@b1aeafe Signed-off-by: Adam Cmiel <[email protected]>
CLOUDBLD-7002 There are 4 RPM tags that can contain signatures [1]. Two of them are calculated from the header+payload - SIGPGP and SIGGPG. The other two are calculated only from the header - DSAHEADER and RSAHEADER. Header signatures were added in rpm v4 and the header+payload ones have slowly been getting phased out since then [2]. The default rpm behavior is now to include only the header signature [3]. What this means for OSBS is simply that we need to start looking at the header signatures as well, where previously we would only consider the header+payload ones. [1]: https://rpm-software-management.github.io/rpm/manual/tags.html [2]: rpm-software-management/rpm#863 [3]: rpm-software-management/rpm@b1aeafe Signed-off-by: Adam Cmiel <[email protected]>
CLOUDBLD-7002 There are 4 RPM tags that can contain signatures [1]. Two of them are calculated from the header+payload - SIGPGP and SIGGPG. The other two are calculated only from the header - DSAHEADER and RSAHEADER. Header signatures were added in rpm v4 and the header+payload ones have slowly been getting phased out since then [2]. The default rpm behavior is now to include only the header signature [3]. What this means for OSBS is simply that we need to start looking at the header signatures as well, where previously we would only consider the header+payload ones. [1]: https://rpm-software-management.github.io/rpm/manual/tags.html [2]: rpm-software-management/rpm#863 [3]: rpm-software-management/rpm@b1aeafe Signed-off-by: Adam Cmiel <[email protected]>
CLOUDBLD-7002 There are 4 RPM tags that can contain signatures [1]. Two of them are calculated from the header+payload - SIGPGP and SIGGPG. The other two are calculated only from the header - DSAHEADER and RSAHEADER. Header signatures were added in rpm v4 and the header+payload ones have slowly been getting phased out since then [2]. The default rpm behavior is now to include only the header signature [3]. What this means for OSBS is simply that we need to start looking at the header signatures as well, where previously we would only consider the header+payload ones. [1]: https://rpm-software-management.github.io/rpm/manual/tags.html [2]: rpm-software-management/rpm#863 [3]: rpm-software-management/rpm@b1aeafe Signed-off-by: Adam Cmiel <[email protected]>
This came up in #861, but deserves a topic of its own, and also needs to be laid out where people can see it:
The so-called "v3" header+payload digests and signatures in rpm have been on their slower-than-sloth way out ever since header-only digests/signatures were added in rpm v4 around the turn of the millenium, but without them there hasn't been any means to verify the payload without unpacking it, and so they've lingered on.
rpm 4.14 added a separate digest on the compressed payload. Unlike the v3 elements, the payload digest is stored in the immutable main header instead of signature header, so it's guarded by header-only digests/signatures making modification non-trivial and with signed packages, impossible. So there's now the means to perform strong verification of both the header and the payload independently of each other.
This means we can finally start phasing out the v3 digests and signatures for real. For one, it means that signing could technically be done without looking at the payload at all, making it much faster. It would also help the deltarpm case as discussed in #861. I'd like to say "simpler code" too, but rpm probably needs to carry support for the v3 stuff for another decade more for compatibility reasons, so that's not right around the corner. We have to start someplace though, and I think that something should be changing rpmsign only create header-only signatures by default, and add a cli-switch to enable them for those who need it.
I'm sure I'm forgetting half a dozen things from my braindump, but it's a start at least.
Thoughts?
The text was updated successfully, but these errors were encountered: