Implement a digest on the compressed payload content (#163)

There needs to be a way to verify the payload before trying to uncompress
and unpack it:

- We have digests on the contents of individual files, but detecting
  corruption in middle of installation, after all sorts of scripts might
  have already run, is no good at all
- Compresssion libraries have vulnerabilities of their own
- The RPMv3 digest covering the payload is the obsolete MD5, and furthermore
  it covers the header AND the payload, which is extremely cumbersome
  to begin with but also vulnerable because it's in the unprotected
  signature header.

This adds two tags: one for the actual digest, and another for the
algorithm, much like with filedigests. The digest tag is specified
as a string array to leave room for future expansion: the idea is
that there could be intermediate snapshots over the payload, and
the last one is always on the entire payload, so an array of just
one is compatible with this specification.

Getting the digest into the main header is fairly complicated since the
package format on-disk is exactly in the opposite order of how we need
to write things there, add a lenghty comment to writeRPM() to explain.
The MD5 digest needs to die, really - it forces a second read over
the entire header + payload for what is practically worthless hash.

Note that there's no code to actually verify this digest at the moment,
nor is there a way to configure the used algorithm, SHA256 is used as the
default for now.

1 files changed, 2 insertions, 0 deletions

diff --git a/tests/rpmgeneral.at b/tests/rpmgeneral.at
index 22c483e3a..60f5efe70 100644
--- a/tests/rpmgeneral.at
+++ b/tests/rpmgeneral.at
@@ -189,6 +189,8 @@ PATCHESFLAGS
 PATCHESNAME
 PATCHESVERSION
 PAYLOADCOMPRESSOR
+PAYLOADDIGEST
+PAYLOADDIGESTALGO
 PAYLOADFLAGS
 PAYLOADFORMAT
 PKGID