[Rpm-maint] [PATCH 4/4] Sign package files during installation
Fionnuala Gunter
fin at linux.vnet.ibm.com
Thu Oct 23 21:56:22 UTC 2014
On 10/23/2014 12:09 PM, Dmitry Kasatkin wrote:
> On 23 October 2014 19:34, Fionnuala Gunter <fin at linux.vnet.ibm.com> wrote:
>>
>>
>> On 10/23/2014 02:24 AM, Dmitry Kasatkin wrote:
>>> On 22/10/14 21:42, Fionnuala Gunter wrote:
>>>>>> @@ -964,12 +993,22 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
>>>>>> if (rc)
>>>>>> *failedFile = xstrdup(fpath);
>>>>>>
>>>>>> - /* get file signatures from header */
>>>>>> - if (sb.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) {
>>>>>> + /* sign executable files */
>>>>>> + if (sb.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH) && signFiles) {
>>>>>> + digest = rpmtdNextString(&digests);
>>>>>> + sig = signFile(algo, digest, diglen, key);
>>>>> Why do you sign only executables?
>>>>>
>>>>>> + if (!sig) {
>>>>>> + rpmlog(RPMLOG_ERR, _("signFile failed\n"));
>>>>>> + goto exit;
>>>>>> + }
>>>>>> + }
>>>>>> + /* or get file signatures from header */
>>>>>> + else if (sb.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) {
>>>>>> sig = rpmtdNextString(&sigs);
>>>>> Also here... It only sets signature for executables??
>>>> Right, I only set signatures for executables, should I set signatures
>>>> for all files?
>>>>> - Dmitry
>>>
>>> I understand that it was a safe bet that binaries can always has signature.
>>> What about libraries or may be some important configuration file which
>>> would have signature..
>>> Files which can be modified should not have a signature.
>>>
>>> Signatures should be set for all files in the package which has a signature.
>>> Package maintainer should be able to select what files to sign or not
>>> to sign...
>>>
>>> I think it has to be addressed before it can be really used.
>> This is a good point, so the files needing signatures should be
>> enumerated by the package maintainer. Perhaps this can be done in the
>> rpm spec.
>>
>> -Fin
>>>
>
> Yes, something like that..
>
> I am not an expert in package managers, but if I take a code snippet from
> ima-evm-utils.spec, then there rules to specify files to include to the package,
> like:
>
> %files
> %defattr(-,root,root,-)
> %{_bindir}/*
> %{_libdir}/libimaevm.*
> %{_includedir}/*
>
> There should be some way to specify it what should be signed, for example
>
> %sign
> %{_etcdir}/path/to/config
> %{_bindir}/*
>
Yes, this is what I had in mind.
>
> But may be RPM maintainers might comment...
>
> Thanks,
> Dmitry
>
>>> - Dmitry
>>>
>>>
>>>> Thanks,
>>>> Fin
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Rpm-maint mailing list
>> Rpm-maint at lists.rpm.org
>> http://lists.rpm.org/mailman/listinfo/rpm-maint
>
>
>
More information about the Rpm-maint
mailing list