[Rpm-ecosystem] [PATCH v6 11/11] Documentation for file signing
Mimi Zohar
zohar at linux.vnet.ibm.com
Fri Jul 17 12:16:49 UTC 2015
On Fri, 2015-07-17 at 11:11 +0200, Florian Festi wrote:
> On 07/16/2015 03:18 PM, Mimi Zohar wrote:
> > On Wed, 2015-07-15 at 19:12 +0200, Florian Festi wrote:
> >> On 07/06/2015 08:52 PM, Mimi Zohar wrote:
> >>> From: "fin at linux.vnet.ibm.com" <fin at linux.vnet.ibm.com>
> >>>
> >>> This patch adds documentation for signing files.
> >>
> >>> @@ -52,7 +71,15 @@ using the executable \fI/usr/bin/gpg\fR you would include
> >>> in a macro configuration file. Use \fI/etc/rpm/macros\fR
> >>> for per-system configuration and \fI~/.rpmmacros\fR
> >>> for per-user configuration. Typically it's sufficient to set just %_gpg_name.
> >>> -
> >>> +.PP
> >>> +In addition, for signing the file digests and installing the file signatures
> >>> +as "security.ima" extended attributes, define the following macros.
> >>> +.PP
> >>> +.nf
> >>> +%__plugindir /usr/local/lib/rpm-plugins
> >>> +%_binary_filedigest_algorithm 8
> >>> +%_file_signing_key < private key pathname (PEM format) >
> >>> +.fi
> >>
> >> I am not a big fan of this section. %__plugindir and
> >> %_binary_filedigest_algorithm should be defined already anyway and their
> >> value may differ for all kind of reasons.
> >
> > We'll remove this section. The plugindir macro is not even needed for
> > signing files, just for installing the file signatures.
> >
> >> If %_file_signing_key is
> >> equivalent to --fskpath you should that it there.
> >
> > We can remove the --fskpath command line option, leaving just the macro
> > name.
>
> Sorry, should have been more clear. The --fskpath option is fine. The
> equivalence to %_file_signing_key is already explained in the
> --signfiles section.
>
> So just dropping this last section from the man page should be sufficient.
As we've already made this change, either way is fine. Do you have a
preference?
Mimi
More information about the Rpm-ecosystem
mailing list