[Rpm-ecosystem] [PATCH v6 00/11] RPM: include and install file signatures
Mimi Zohar
zohar at linux.vnet.ibm.com
Wed Jul 15 18:30:57 UTC 2015
On Wed, 2015-07-15 at 19:29 +0200, Florian Festi wrote:
> Sorry, it took me a while to find the time to review the patches. So far
> things look pretty good.
Great!
> I wonder if we are still missing some kind of tool to verify the
> signatures (guess this is done by the kernel) or the existance of the
> signatures (which probably cannot be done by the kernel). May be rpm -V
> should check if the signatures are still there.
IMA is definitely xattr aware. Depending on the policy, IMA behaves
differently when a file's xattr contains a signature vs. a hash.
The ima-evm-utils package has options for verifying the signature. We
might need to move the code around a bit to make it accessible to other
applications.
> But this is not a show stopper in any way.
Thanks!
> For me the patchset looks (beside the minor nitpits) ready for inclusion
> into HEAD. I plan to do an alpha release for rpm-4.13 soonish.
Ok, I'll fix and repost the patches, hopefully, this week.
> Anything you still want to do before the code goes in?
I realize you just removed supplying the passphrase option from the
rpmsign command line. Having to supply a password for each file is not
exactly user friendly. So instead of providing a command line option
for the file signing password, I was thinking of allowing the password
to be piped into rpmsign. The first patch would allow the password to
be piped to the rpmsign command. For example,
{ echo "SETDESC password:"; l echo "GETPIN"; } | pinentry | sed -n 's^D //p' | rpmsign ....
which is kind of ugly. So the second patch would create a pipe using
popen to prompt for the password. I'll post these two patches
independently for your review.
Thanks, I really appreciate your upstreaming these patches!
Mimi
More information about the Rpm-ecosystem
mailing list