On 2008-01-26 09:16:55 +0100, Susanne Oberhauser wrote:
Marcus Rueckert
writes: rpm does not support multiple sigs on one rpm.
a) I wouldn't put bets on that (I think it does, maybe buggy on and off, but you can add multiple signatures and installation will succeede if one of the key is in /bin/rpm's keyring)
rpm --addsign (from the manpage) "Both of the --addsign and --resign options generate and insert new signatures for each package PACKAGE_FILE given, replacing any existing signatures. There are two options for historical reasons, there is no difference in behavior currently."
But hinking through it, alternatively, as rpm does support multiple signatures on the same package, would it be ok if aggregaton adds a blessing to the package and it gets dual signed in both repos? So I think the following would do the trick too:
I alternatively propose that aggregation means blessing of a package, so the package will be signed with the original repo's key as well as with the aggregating repo's key.
In addition to maintaining 'hardlinkability' I think the semantics are ok: you'd never aggregate a package that you don't trust. And the other way 'round the additional signature in the other repository won't harm, AFAICT it's sufficient to trust one of the signatures to get a package installed so the aggregating signature doesn't change anything.
i am pretty sure it does not support multiple keys. darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org