[Rpm-maint] [RFC PATCH v3 0/4] Include and install file signatures
fin at linux.vnet.ibm.com
fin at linux.vnet.ibm.com
Tue Oct 7 20:19:14 UTC 2014
From: Fionnuala Gunter <fin at linux.vnet.ibm.com>
The Linux kernel's ima-appraisal module verifies file signatures. The problem
with verifying digital signatures of files is how the files are signed in the
first place. In our current prototype, we sign all files after system
installation, but this doesn't handle ongoing updates. We propose that Linux
distributors sign all files as part of the normal package signing. RPM already
maintains hashes of all files in the rpm package, and this can be extended to
add file signatures.
This patch set extends the rpm signing tool to include file signatures in
packages, and extends the rpm install tool to install file signatures.
Changelog v2:
-support for inline signing of files
-command line option for file signing key
-included missing file
-fixed type in rpmDigestAlgo
Changelog v3:
-split up patch
Fionnuala Gunter (4):
Add file signature to fsm_file_post parameter list
Sign package files and include signatures in package header
Label ima xattr when signed files are installed
Sign package files during installation
configure.ac | 8 ++
doc/rpm.8 | 28 +++--
doc/rpmsign.8 | 22 +++-
lib/Makefile.am | 3 +-
lib/fsm.c | 68 ++++++++++-
lib/poptI.c | 7 ++
lib/rpmcli.h | 2 +
lib/rpminstall.c | 10 +-
lib/rpmplugin.h | 3 +-
lib/rpmplugins.c | 5 +-
lib/rpmplugins.h | 4 +-
lib/rpmsignfiles.c | 130 +++++++++++++++++++++
lib/rpmsignfiles.h | 45 ++++++++
lib/rpmtag.h | 1 +
lib/rpmts.c | 15 +++
lib/rpmts.h | 15 +++
lib/rpmts_internal.h | 2 +
macros.in | 1 +
plugins/Makefile.am | 4 +
plugins/ima.c | 83 ++++++++++++++
rpmpopt.in | 1 +
rpmsign.c | 14 ++-
sign/rpmgensig.c | 319 +++++++++++++++++++++++++++++++++++++++++++++++----
sign/rpmsign.h | 7 +-
24 files changed, 750 insertions(+), 47 deletions(-)
create mode 100644 lib/rpmsignfiles.c
create mode 100644 lib/rpmsignfiles.h
create mode 100644 plugins/ima.c
--
1.9.3
More information about the Rpm-maint
mailing list