[Rpm-ecosystem] [PATCH v6 00/11] RPM: include and install file signatures

Mimi Zohar zohar at linux.vnet.ibm.com
Mon Jul 6 18:52:14 UTC 2015

This patch set, which includes file signatures in the RPM header
and installs them as security.ima extended attributes, was last posted

Since the patches were last posted, the patches were rebased, the
rpmsign man page macro example was updated, a couple of bugs as
noted in the patch descriptions were fixed and the RPM signature
header digests is now updated only as needed.


Prior cover letter:

IMA-appraisal, upstreamed in linux-3.7, enforces local file
integrity based on a known 'good' value stored as an extended
attribute 'security.ima'.  Labeling the filesystem is currently done
post install using a local private key.  Including file signatures
in the package provides not only file integrity, but file

This patch set extends the existing rpm signing tool to include file
signatures in packages, and adds a plugin that installs file
signatures using the psm_post hook.

There are new options to rpmsign - signfiles and fskpath.

rpm --addsign [--signfiles [--fskpath <file signing key>]]

Signfiles signs all the file digests included in the package with
libimaevm and stores the signatures in the package header under the
tag RPMTAG_FILESIGNATURES. The file signing key can be provided with
the option fskpath, or in a macro file with %_file_signing_key.

After including file signatures, the packages are signed normally.

When a package with signed files is installed, rpmfilesPopulate
extracts file signatures from the package header and stores them (in
binary) in rpmfiles struct. Then the ima plugin instantiates the
psm_post hook and writes the file signatures to security.ima xattr.

Changelog v5:
-config file signatures are filtered and not installed
-removed rpmfiFSignatureHex because it wasn't used
-added guard to file signature code in rpmfilesPopulate
-fixed whitespace in rpmfi.c
-reordered patches to fix dependencies

Changelog v4:
-split patch set into more patches
-added file signature interfaces to rpmfi
-fixed types and buffer sizes
-removed double logging of errors
-removed changes to API/ABI
-moved file signature installation to ima plugin
-removed support for inline signing of files

Changelog v3:
-split up patch

Changelog v2:
-support for inline signing of files
-command line option for file signing key
-include missing file
-fixed typo in rpmDigestAlgo

fin at linux.vnet.ibm.com (11):
  Refactor copyFile to not close files
  Export generateSignature
  Add rpmtags for file signatures and their length
  Subroutine for dumping immutable region of header
  Add support for file signatures to rpmfi and rpmfiles
  Configure option to build with imaevm support
  Add file signature support to rpmsign command
  Add file signature support to package signing
  Sign file digests and store signatures in header
  IMA plugin labels ima xattr with file signatures
  Documentation for file signing

 build/pack.c        |  90 +--------------------
 configure.ac        |   8 ++
 doc/rpmsign.8       |  32 +++++++-
 lib/Makefile.am     |   3 +-
 lib/rpmfi.c         |  45 ++++++++++-
 lib/rpmfi.h         |   8 ++
 lib/rpmfiles.h      |  10 +++
 lib/rpmsignfiles.c  | 126 +++++++++++++++++++++++++++++
 lib/rpmsignfiles.h  |  20 +++++
 lib/rpmtag.h        |   2 +
 lib/signature.c     |  87 ++++++++++++++++++++
 lib/signature.h     |  11 +++
 macros.in           |   1 +
 plugins/Makefile.am |   4 +
 plugins/ima.c       |  60 ++++++++++++++
 rpmpopt.in          |   1 +
 rpmsign.c           |  24 +++++-
 sign/rpmgensig.c    | 225 ++++++++++++++++++++++++++++++++++++++++++++++------
 sign/rpmsign.h      |   1 +
 19 files changed, 642 insertions(+), 116 deletions(-)
 create mode 100644 lib/rpmsignfiles.c
 create mode 100644 lib/rpmsignfiles.h
 create mode 100644 plugins/ima.c


More information about the Rpm-ecosystem mailing list