[Rpm-maint] [PATCH 4/4] Sign package files during installation

Dmitry Kasatkin dmitry.kasatkin at gmail.com
Thu Oct 23 17:09:20 UTC 2014 

On 23 October 2014 19:34, Fionnuala Gunter <fin at linux.vnet.ibm.com> wrote:
>
>
> On 10/23/2014 02:24 AM, Dmitry Kasatkin wrote:
>> On 22/10/14 21:42, Fionnuala Gunter wrote:
>>>>> @@ -964,12 +993,22 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
>>>>>    if (rc)
>>>>>        *failedFile = xstrdup(fpath);
>>>>>
>>>>> -  /* get file signatures from header */
>>>>> -  if (sb.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) {
>>>>> +  /* sign executable files */
>>>>> +  if (sb.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH) && signFiles) {
>>>>> +      digest = rpmtdNextString(&digests);
>>>>> +      sig = signFile(algo, digest, diglen, key);
>>>> Why do you sign only executables?
>>>>
>>>>> +      if (!sig) {
>>>>> +          rpmlog(RPMLOG_ERR, _("signFile failed\n"));
>>>>> +          goto exit;
>>>>> +      }
>>>>> +  }
>>>>> +  /* or get file signatures from header */
>>>>> +  else if (sb.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) {
>>>>>        sig = rpmtdNextString(&sigs);
>>>> Also here...  It only sets signature for executables??
>>> Right, I only set signatures for executables, should I set signatures
>>> for all files?
>>>> - Dmitry
>>
>> I understand that it was a safe bet that binaries can always has signature.
>> What about libraries or may be some important configuration file which
>> would have signature..
>> Files which can be modified should not have a signature.
>>
>> Signatures should be set for all files in the package which has a signature.
>> Package maintainer should be able to select what files  to sign or not
>> to sign...
>>
>> I think it has to be addressed before it can be really used.
> This is a good point, so the files needing signatures should be
> enumerated by the package maintainer. Perhaps this can be done in the
> rpm spec.
>
> -Fin
>>

Yes, something like that..

I am not an expert in package managers, but if I take a code snippet from
ima-evm-utils.spec, then there rules to specify files to include to the package,
like:

%files
%defattr(-,root,root,-)
%{_bindir}/*
%{_libdir}/libimaevm.*
%{_includedir}/*

There should be some way to specify it what should be signed, for example

%sign
%{_etcdir}/path/to/config
%{_bindir}/*


But may be RPM maintainers might comment...

Thanks,
Dmitry

>> - Dmitry
>>
>>
>>> Thanks,
>>> Fin
>>>
>>>
>>
>
> _______________________________________________
> Rpm-maint mailing list
> Rpm-maint at lists.rpm.org
> http://lists.rpm.org/mailman/listinfo/rpm-maint



-- 
Thanks,
Dmitry

More information about the Rpm-maint mailing list