Hi, On Mon, Feb 13, 2017 at 12:50:07PM +0000, Caolán McNamara <caolanm@redhat.com> wrote:
So, do we know enough that the customkeymanage part isn't necessary for any known normal use of xml signing, I mean if we disable it, or build against a system version that doesn't have it, that the uses we do know about continue to work. I could live with that for at least distro builds to flush out if there is some useful purpose to it.
Currently xmlsec1-noverify.patch.1 is a blocker for system-xmlsec, as all signatures created using non-trusted certificates will just show up as invalid signatures, while today there are different error messages for not trusted certificates and invalid signatures. After the next upstream release (1.2.24) we could experiment with building against system-xmlsec, I *think* the common "sign with a software X509 certificate / verify the signature" scenario should work just fine. Regards, Miklos
Attachment:
signature.asc
Description: Digital signature