[Rpm-maint] [PATCH 4/4] Sign package files during installation

Fionnuala Gunter fin at linux.vnet.ibm.com
Thu Oct 23 21:56:22 UTC 2014



On 10/23/2014 12:09 PM, Dmitry Kasatkin wrote:
> On 23 October 2014 19:34, Fionnuala Gunter <fin at linux.vnet.ibm.com> wrote:
>>
>>
>> On 10/23/2014 02:24 AM, Dmitry Kasatkin wrote:
>>> On 22/10/14 21:42, Fionnuala Gunter wrote:
>>>>>> @@ -964,12 +993,22 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
>>>>>>    if (rc)
>>>>>>        *failedFile = xstrdup(fpath);
>>>>>>
>>>>>> -  /* get file signatures from header */
>>>>>> -  if (sb.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) {
>>>>>> +  /* sign executable files */
>>>>>> +  if (sb.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH) && signFiles) {
>>>>>> +      digest = rpmtdNextString(&digests);
>>>>>> +      sig = signFile(algo, digest, diglen, key);
>>>>> Why do you sign only executables?
>>>>>
>>>>>> +      if (!sig) {
>>>>>> +          rpmlog(RPMLOG_ERR, _("signFile failed\n"));
>>>>>> +          goto exit;
>>>>>> +      }
>>>>>> +  }
>>>>>> +  /* or get file signatures from header */
>>>>>> +  else if (sb.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) {
>>>>>>        sig = rpmtdNextString(&sigs);
>>>>> Also here...  It only sets signature for executables??
>>>> Right, I only set signatures for executables, should I set signatures
>>>> for all files?
>>>>> - Dmitry
>>>
>>> I understand that it was a safe bet that binaries can always has signature.
>>> What about libraries or may be some important configuration file which
>>> would have signature..
>>> Files which can be modified should not have a signature.
>>>
>>> Signatures should be set for all files in the package which has a signature.
>>> Package maintainer should be able to select what files  to sign or not
>>> to sign...
>>>
>>> I think it has to be addressed before it can be really used.
>> This is a good point, so the files needing signatures should be
>> enumerated by the package maintainer. Perhaps this can be done in the
>> rpm spec.
>>
>> -Fin
>>>
> 
> Yes, something like that..
> 
> I am not an expert in package managers, but if I take a code snippet from
> ima-evm-utils.spec, then there rules to specify files to include to the package,
> like:
> 
> %files
> %defattr(-,root,root,-)
> %{_bindir}/*
> %{_libdir}/libimaevm.*
> %{_includedir}/*
> 
> There should be some way to specify it what should be signed, for example
> 
> %sign
> %{_etcdir}/path/to/config
> %{_bindir}/*
> 
Yes, this is what I had in mind.
> 
> But may be RPM maintainers might comment...
> 
> Thanks,
> Dmitry
> 
>>> - Dmitry
>>>
>>>
>>>> Thanks,
>>>> Fin
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Rpm-maint mailing list
>> Rpm-maint at lists.rpm.org
>> http://lists.rpm.org/mailman/listinfo/rpm-maint
> 
> 
> 



More information about the Rpm-maint mailing list