On Apr 21, 2009, at 6:10 PM, Jeff Johnson wrote: > > > Its easy enough to create a reproducer: > > 1) build some package > 2) use dd to truncate some of the payload. > 3) sign the package > 3) verify the signature. > If this reproduces the issue, I can pretty easily send you a patch that compares before and after header+payload MD5 digest and warns/errors if the two values do not match while signing. 73 de Jeff