[Rpm-ecosystem] [PATCH v6 00/11] RPM: include and install file signatures

Lubos Kardos lkardos at redhat.com
Fri Jul 17 08:04:14 UTC 2015 

Maybe it would be nice to have possibility to sign files without signing
a package. Often different people are responsible for different parts of
process of creating package. Private keys for signing file and signing package
are different and maybe a man who will be responsible for signing files won't
have a access to a private key to sign whole package. But I don't know how
signing files will be used, if it will be used, just a idea.

Another thing that I thinking about is to have a separate tool for signing
files and not having signing files in rpmsign. Also writing signatures into
xattr is in a plugin and not in core rpm. Signing files also brings a new
dependency on libimaevm into rpmsign. If we had a separate tool for signing
files then this separate tool could be in a separate package. So If you didn't
want to sign files then you wouldn't need to install the package with the tool 
for signing files and you wouldn't need to install libimaevm dependency.

But these are just thoughts. Florian, what do you think?

Lubos

----- Original Message -----
> From: "Mimi Zohar" <zohar at linux.vnet.ibm.com>
> To: rpm-ecosystem at lists.rpm.org
> Cc: "Fionnuala Gunter" <fionnuala.gunter at gmail.com>
> Sent: Monday, July 6, 2015 8:52:14 PM
> Subject: [Rpm-ecosystem] [PATCH v6 00/11] RPM: include and install file	signatures
> 
> This patch set, which includes file signatures in the RPM header
> and installs them as security.ima extended attributes, was last posted
> http://lists.rpm.org/pipermail/rpm-maint/2015-January/003842.html.
> 
> Since the patches were last posted, the patches were rebased, the
> rpmsign man page macro example was updated, a couple of bugs as
> noted in the patch descriptions were fixed and the RPM signature
> header digests is now updated only as needed.
> 
> Mimi
> 
> Prior cover letter:
> ------------------
> 
> IMA-appraisal, upstreamed in linux-3.7, enforces local file
> integrity based on a known 'good' value stored as an extended
> attribute 'security.ima'.  Labeling the filesystem is currently done
> post install using a local private key.  Including file signatures
> in the package provides not only file integrity, but file
> provenance.
> 
> This patch set extends the existing rpm signing tool to include file
> signatures in packages, and adds a plugin that installs file
> signatures using the psm_post hook.
> 
> There are new options to rpmsign - signfiles and fskpath.
> 
> rpm --addsign [--signfiles [--fskpath <file signing key>]]
> PACKAGE_FILE ...
> 
> Signfiles signs all the file digests included in the package with
> libimaevm and stores the signatures in the package header under the
> tag RPMTAG_FILESIGNATURES. The file signing key can be provided with
> the option fskpath, or in a macro file with %_file_signing_key.
> 
> After including file signatures, the packages are signed normally.
> 
> When a package with signed files is installed, rpmfilesPopulate
> extracts file signatures from the package header and stores them (in
> binary) in rpmfiles struct. Then the ima plugin instantiates the
> psm_post hook and writes the file signatures to security.ima xattr.
> 
> Changelog v5:
> -config file signatures are filtered and not installed
> -removed rpmfiFSignatureHex because it wasn't used
> -added guard to file signature code in rpmfilesPopulate
> -fixed whitespace in rpmfi.c
> -reordered patches to fix dependencies
> 
> Changelog v4:
> -split patch set into more patches
> -added file signature interfaces to rpmfi
> -fixed types and buffer sizes
> -removed double logging of errors
> -removed changes to API/ABI
> -moved file signature installation to ima plugin
> -removed support for inline signing of files
> 
> Changelog v3:
> -split up patch
> 
> Changelog v2:
> -support for inline signing of files
> -command line option for file signing key
> -include missing file
> -fixed typo in rpmDigestAlgo
> 
> fin at linux.vnet.ibm.com (11):
>   Refactor copyFile to not close files
>   Export generateSignature
>   Add rpmtags for file signatures and their length
>   Subroutine for dumping immutable region of header
>   Add support for file signatures to rpmfi and rpmfiles
>   Configure option to build with imaevm support
>   Add file signature support to rpmsign command
>   Add file signature support to package signing
>   Sign file digests and store signatures in header
>   IMA plugin labels ima xattr with file signatures
>   Documentation for file signing
> 
>  build/pack.c        |  90 +--------------------
>  configure.ac        |   8 ++
>  doc/rpmsign.8       |  32 +++++++-
>  lib/Makefile.am     |   3 +-
>  lib/rpmfi.c         |  45 ++++++++++-
>  lib/rpmfi.h         |   8 ++
>  lib/rpmfiles.h      |  10 +++
>  lib/rpmsignfiles.c  | 126 +++++++++++++++++++++++++++++
>  lib/rpmsignfiles.h  |  20 +++++
>  lib/rpmtag.h        |   2 +
>  lib/signature.c     |  87 ++++++++++++++++++++
>  lib/signature.h     |  11 +++
>  macros.in           |   1 +
>  plugins/Makefile.am |   4 +
>  plugins/ima.c       |  60 ++++++++++++++
>  rpmpopt.in          |   1 +
>  rpmsign.c           |  24 +++++-
>  sign/rpmgensig.c    | 225
>  ++++++++++++++++++++++++++++++++++++++++++++++------
>  sign/rpmsign.h      |   1 +
>  19 files changed, 642 insertions(+), 116 deletions(-)
>  create mode 100644 lib/rpmsignfiles.c
>  create mode 100644 lib/rpmsignfiles.h
>  create mode 100644 plugins/ima.c
> 
> --
> 2.1.0
> 
> _______________________________________________
> Rpm-ecosystem mailing list
> Rpm-ecosystem at lists.rpm.org
> http://lists.rpm.org/mailman/listinfo/rpm-ecosystem
>

More information about the Rpm-ecosystem mailing list