feat: expose rpm signature information #3179
Conversation
|
I still need to get some signature information into the tests before this is ready for review. |
This helps with more confident identification of an rpm. In theory, two rpms can be built that have the same purl string, and otherwise look identical in syft's output, but the PGP information would distinguish them as signed either by different keys, or signed at different times. In practice, this usually makes no difference since rpms tend to have unique name/version/release strings. This just gives increased confidence about the identity of the rpm found in the db. Signed-off-by: Ralph Bean <rbean@redhat.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
|
(I spent some time trying to get the test suite working locally on |
|
no problem @ralphbean -- shout out if there is something we can do to help! |
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
|
The upstream lib doesn't seem to be working when the backing store is sqlite (where it is working when it's bdb) Technically that doesn't affect the functionality, but it does make generating a test case a little harder. I might poke upstream to see what's going on. |
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
|
I've got a fix upstream for this knqyf263/go-rpmdb#58, which would populate a new |
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
This helps with more confident identification of an rpm.
In theory, two rpms can be built that have the same purl string, and otherwise look identical in syft's output, but the PGP information would distinguish them as signed either by different keys, or signed at different times.
In practice, this usually makes no difference since rpms tend to have unique name/version/release strings. This gives increased confidence about the identity of the rpm found in the db.