[Rpm-maint] [RFC v5 00/11] RPM: Include and install file signatures

Colin Walters walters at verbum.org
Fri Feb 20 20:31:14 UTC 2015

On Tue, Jan 27, 2015, at 10:04 AM, fin at linux.vnet.ibm.com wrote:
> IMA-appraisal, upstreamed in linux-3.7, enforces local file integrity based on
> a known 'good' value stored as an extended attribute 'security.ima'. Labeling
> the filesystem is currently done post install using a local private key.
> Including file signatures in the package provides not only file integrity, but
> file provenance.

This is interesting stuff, and it's a topic I've been thinking about quite a bit lately.
I definitely like the idea of being able to verify that the on-disk software state
matches what was signed.

The more I think about IMA though, it would seem to me to be significantly
cleaner if the system (really kernel) just disallowed modification of system files in the first
place, rather than asserting it externally.

OSTree tries to do this now with a read-only bind mount over /usr as well as
the immutable bit on /.  A step further is:

Are you doing anything special with respect to RPM %config() files?

More information about the Rpm-maint mailing list