On 10/06/2014 07:53 PM, Jonathan Dieter wrote:
As mentioned elsewhere, the problem *is* signatures. yum (quite rightly) refuses to install an rpm whose signature doesn't match the one in the primary repodata. And I believe that the signature in the RPM is also over the whole compressed rpm. To make this work, we'd need to add an "uncompressed" signature for every package to the primary repodata as well as probably the rpms themselves.
IIRC repodata doesn't carry signatures, it caries a (sha256) checksum of its own on the entire package. Rpm signatures are a different beast: there's (sha1) checksum and a signature on the header, plus "rpm v3" checksum and signature on header + payload. rpm -K style signature checking is the only thing that looks at the header + payload checksum and signature, otherwise rpm only uses the checksum/signature on header, which of course then has checksums of the individual files.
Rpm can (and usually does) ignore the payload signature, file-level checksums get checked anyway (that too *can* be disabled but...) However it still requires the input data to be compressed in the format specified in the header. So to avoid having to compress tons of data only to decompress it shortly afterwards, there would have to be a way to tell librpm to expect a different payload compression (or specifically, that the payload is not compressed). Shouldn't be rocket science.
- Panu - -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
