[Rpm-maint] [RFC PATCH v3 0/4] Include and install file signatures

Mimi Zohar zohar at linux.vnet.ibm.com
Mon Oct 13 17:48:08 UTC 2014 

On Tue, 2014-10-07 at 15:19 -0500, fin at linux.vnet.ibm.com wrote: 
> From: Fionnuala Gunter <fin at linux.vnet.ibm.com>
> 
> The Linux kernel's ima-appraisal module verifies file signatures. The problem 
> with verifying digital signatures of files is how the files are signed in the 
> first place. In our current prototype, we sign all files after system 
> installation, but this doesn't handle ongoing updates. We propose that Linux 
> distributors sign all files as part of the normal package signing. RPM already 
> maintains hashes of all files in the rpm package, and this can be extended to 
> add file signatures.
> 
> This patch set extends the rpm signing tool to include file signatures in 
> packages, and extends the rpm install tool to install file signatures.

Splitting up the patches like this looks a lot better!

thanks,

Mimi

> Changelog v2: 
> -support for inline signing of files
> -command line option for file signing key
> -included missing file
> -fixed type in rpmDigestAlgo
> 
> Changelog v3:
> -split up patch
> 
> Fionnuala Gunter (4):
>   Add file signature to fsm_file_post parameter list
>   Sign package files and include signatures in package header
>   Label ima xattr when signed files are installed
>   Sign package files during installation
> 
>  configure.ac         |   8 ++
>  doc/rpm.8            |  28 +++--
>  doc/rpmsign.8        |  22 +++-
>  lib/Makefile.am      |   3 +-
>  lib/fsm.c            |  68 ++++++++++-
>  lib/poptI.c          |   7 ++
>  lib/rpmcli.h         |   2 +
>  lib/rpminstall.c     |  10 +-
>  lib/rpmplugin.h      |   3 +-
>  lib/rpmplugins.c     |   5 +-
>  lib/rpmplugins.h     |   4 +-
>  lib/rpmsignfiles.c   | 130 +++++++++++++++++++++
>  lib/rpmsignfiles.h   |  45 ++++++++
>  lib/rpmtag.h         |   1 +
>  lib/rpmts.c          |  15 +++
>  lib/rpmts.h          |  15 +++
>  lib/rpmts_internal.h |   2 +
>  macros.in            |   1 +
>  plugins/Makefile.am  |   4 +
>  plugins/ima.c        |  83 ++++++++++++++
>  rpmpopt.in           |   1 +
>  rpmsign.c            |  14 ++-
>  sign/rpmgensig.c     | 319 +++++++++++++++++++++++++++++++++++++++++++++++----
>  sign/rpmsign.h       |   7 +-
>  24 files changed, 750 insertions(+), 47 deletions(-)
>  create mode 100644 lib/rpmsignfiles.c
>  create mode 100644 lib/rpmsignfiles.h
>  create mode 100644 plugins/ima.c
>

More information about the Rpm-maint mailing list