[Rpm-maint] Identifying which files need signatures

Fionnuala Gunter fin at linux.vnet.ibm.com
Tue Jan 20 16:03:44 UTC 2015


Hi Florian,

On 01/19/2015 02:36 AM, Florian Festi wrote:
> On 01/16/2015 11:18 PM, Fionnuala Gunter wrote:
>> Hi,
>>
>> Missing from the RPM patches that add file signatures is a way for
>> package maintainers to specify which files need signing. Dmitry
>> Kasatkin suggested that we enumerate signed files with a spec tag,
>> similar to how we enumerate files, ie.
> 
> I wonder if there is a way around all this. Right now we already have
> the files divided up into normal files which are supposed to not change
> and config files which are expected to change. I wonder if this
> distinction is already sufficient.
Thanks, I think your suggestion will work. I can use the RPMFILE_CONFIG
flag to filter out config files.
> 
> Also note that prelink will happily alter binary files. The verify code
> in rpm undoes the prelinking for checking digests of binary files. I
> wonder if this can be done with the signatures, too. Otherwise prelink
> needs to be disabled for the whole signing to work (as I guess binaries
> are a primary target for signing)
Good point. The kernel currently doesn't support signature verification
of prelinked files. It looks like prelink is already disabled on Fedora
21, so this shouldn't be a major issue.
> 
> Florian
> 
> 
-Fin



More information about the Rpm-maint mailing list