[Rpm-maint] [RFC PATCH v2] Include and install file signatures

Mimi Zohar zohar at linux.vnet.ibm.com
Mon Sep 29 21:55:57 UTC 2014 

On Fri, 2014-08-29 at 12:33 -0500, fin at linux.vnet.ibm.com wrote: 
> From: Fionnuala Gunter <fin at linux.vnet.ibm.com>
> 
> IMA-appraisal, upstreamed in linux-3.7, enforces local file integrity based on 
> known 'good' value stored as an extended attribute 'security.ima'. Labeling the
> filesystem is currently done post install using a local private key. Including 
> file signatures in the package provides not only file integrity, but file 
> provenance.
> 
> This patch extends the existing rpm signing tool to sign package files and 
> include them in the package header. It defines a tag RPMTAG_FILESIGNATURES, an 
> RPM macro %_file_signing_key, new options --fskpath, --signfiles, and IMA 
> plugin.
> 
> rpm --addsign [--signfiles] PACKAGE_FILE ...
> 
> The new option to rpmsign signs all the file digests included in the package. 
> When a package is signed with the new option, the file digests are signed using 
> libimaevm and the key %_file_sign_key. The resulting signatures are included in
> the package header as an RPMTAG_FILESIGNATURES tag. Since the header is 
> modified, the SHA1 and MD5 digests of the header are recalculated and inserted 
> in the signature header.
> 
> After including the file signatures with the new option, the packages are signed
> normally.
> 
> When a package with signed files is installed, the file signatures are extracted
> from the package header, and the IMA plugin writes the file signatures as 
> security.ima extended attributes. The IMA plugin instantiates the fsm_file_post
> but the parameter list was modified to include the file signature.
> 
> Package files can also be signed during install with the new option --signfiles.
> 
> rpm -i [--signfiles] PACKAGE_FILE ...
> 
> v2: Added --signfiles option to rpminstall. File signing key can be configured
> on the command line with --fskpath. Added missing file (plugins/ima.c). Fixed 
> typo in rpmDigestAlgo.
> 
> Signed-off-by: Fionnuala Gunter <fin at linux.vnet.ibm.com>

Thanks, Fin! Sorry for the long delay in commenting.  Perhaps this patch
could be broken up a bit into smaller, more manageable pieces?  Perhaps
something like:

- Include file signatures in RPM header
- IMA fsm_file_post plugin hook changes
- Install file signatures from RPM header
- Support local file signing on package install

thanks,

Mimi

More information about the Rpm-maint mailing list