21 Apr
2009
21 Apr
'09
10:14 p.m.
On Apr 21, 2009, at 6:10 PM, Jeff Johnson wrote:
Its easy enough to create a reproducer:
- build some package
- use dd to truncate some of the payload.
- sign the package
- verify the signature.
If this reproduces the issue, I can pretty easily send you a patch that compares before and after header+payload MD5 digest and warns/errors if the two values do not match while signing.
73 de Jeff