[Rpm-maint] [RFC PATCH v3 0/4] Include and install file signatures
Mimi Zohar
zohar at linux.vnet.ibm.com
Mon Oct 13 17:48:08 UTC 2014
On Tue, 2014-10-07 at 15:19 -0500, fin at linux.vnet.ibm.com wrote:
> From: Fionnuala Gunter <fin at linux.vnet.ibm.com>
>
> The Linux kernel's ima-appraisal module verifies file signatures. The problem
> with verifying digital signatures of files is how the files are signed in the
> first place. In our current prototype, we sign all files after system
> installation, but this doesn't handle ongoing updates. We propose that Linux
> distributors sign all files as part of the normal package signing. RPM already
> maintains hashes of all files in the rpm package, and this can be extended to
> add file signatures.
>
> This patch set extends the rpm signing tool to include file signatures in
> packages, and extends the rpm install tool to install file signatures.
Splitting up the patches like this looks a lot better!
thanks,
Mimi
> Changelog v2:
> -support for inline signing of files
> -command line option for file signing key
> -included missing file
> -fixed type in rpmDigestAlgo
>
> Changelog v3:
> -split up patch
>
> Fionnuala Gunter (4):
> Add file signature to fsm_file_post parameter list
> Sign package files and include signatures in package header
> Label ima xattr when signed files are installed
> Sign package files during installation
>
> configure.ac | 8 ++
> doc/rpm.8 | 28 +++--
> doc/rpmsign.8 | 22 +++-
> lib/Makefile.am | 3 +-
> lib/fsm.c | 68 ++++++++++-
> lib/poptI.c | 7 ++
> lib/rpmcli.h | 2 +
> lib/rpminstall.c | 10 +-
> lib/rpmplugin.h | 3 +-
> lib/rpmplugins.c | 5 +-
> lib/rpmplugins.h | 4 +-
> lib/rpmsignfiles.c | 130 +++++++++++++++++++++
> lib/rpmsignfiles.h | 45 ++++++++
> lib/rpmtag.h | 1 +
> lib/rpmts.c | 15 +++
> lib/rpmts.h | 15 +++
> lib/rpmts_internal.h | 2 +
> macros.in | 1 +
> plugins/Makefile.am | 4 +
> plugins/ima.c | 83 ++++++++++++++
> rpmpopt.in | 1 +
> rpmsign.c | 14 ++-
> sign/rpmgensig.c | 319 +++++++++++++++++++++++++++++++++++++++++++++++----
> sign/rpmsign.h | 7 +-
> 24 files changed, 750 insertions(+), 47 deletions(-)
> create mode 100644 lib/rpmsignfiles.c
> create mode 100644 lib/rpmsignfiles.h
> create mode 100644 plugins/ima.c
>
More information about the Rpm-maint
mailing list