Jeff Johnson wrote: > On Apr 21, 2009, at 6:10 PM, Jeff Johnson wrote: > >> >> Its easy enough to create a reproducer: >> >> 1) build some package >> 2) use dd to truncate some of the payload. >> 3) sign the package >> 3) verify the signature. >> > > If this reproduces the issue, I can pretty easily send you a > patch that compares before and after header+payload MD5 digest > and warns/errors if the two values do not match while signing. then you'd have to send to the upstream rpm, but i'd be more happy to fix #495689 and be able to use 5.3's rpm with mock-0.9 instead of 5.2's rpm:-) -- Levente "Si vis pacem para bellum!"