[Rpm-ecosystem] [PATCH v6 00/11] RPM: include and install file signatures

Mimi Zohar zohar at linux.vnet.ibm.com
Wed Jul 15 18:30:57 UTC 2015


On Wed, 2015-07-15 at 19:29 +0200, Florian Festi wrote:
> Sorry, it took me a while to find the time to review the patches. So far
> things look pretty good.

Great!

> I wonder if we are still missing some kind of tool to verify the
> signatures (guess this is done by the kernel) or the existance of the
> signatures (which probably cannot be done by the kernel). May be rpm -V
> should check if the signatures are still there. 

IMA is definitely xattr aware.  Depending on the policy, IMA behaves
differently when a file's xattr contains a signature vs. a hash.

The ima-evm-utils package has options for verifying the signature.  We
might need to move the code around a bit to make it accessible to other
applications.

> But this is not a show stopper in any way.

Thanks!

> For me the patchset looks (beside the minor nitpits) ready for inclusion
> into HEAD.  I plan to do an alpha release for rpm-4.13 soonish. 

Ok, I'll fix and repost the patches, hopefully, this week.

> Anything you still want to do before the code goes in?

I realize you just removed supplying the passphrase option from the
rpmsign command line.  Having to supply a password for each file is not
exactly user friendly.  So instead of providing a command line option
for the file signing password, I was thinking of allowing the password
to be piped into rpmsign.  The first patch would allow the password to
be piped to the rpmsign command.  For example, 

{ echo "SETDESC password:";  l echo "GETPIN"; } | pinentry | sed -n 's^D //p' | rpmsign ....

which is kind of ugly.  So the second patch would create a pipe using
popen to prompt for the password.  I'll post these two patches
independently for your review.

Thanks, I really appreciate your upstreaming these patches!

Mimi



More information about the Rpm-ecosystem mailing list