[Rpm-maint] Identifying which files need signatures
Fionnuala Gunter
fin at linux.vnet.ibm.com
Tue Jan 20 16:03:44 UTC 2015
Hi Florian,
On 01/19/2015 02:36 AM, Florian Festi wrote:
> On 01/16/2015 11:18 PM, Fionnuala Gunter wrote:
>> Hi,
>>
>> Missing from the RPM patches that add file signatures is a way for
>> package maintainers to specify which files need signing. Dmitry
>> Kasatkin suggested that we enumerate signed files with a spec tag,
>> similar to how we enumerate files, ie.
>
> I wonder if there is a way around all this. Right now we already have
> the files divided up into normal files which are supposed to not change
> and config files which are expected to change. I wonder if this
> distinction is already sufficient.
Thanks, I think your suggestion will work. I can use the RPMFILE_CONFIG
flag to filter out config files.
>
> Also note that prelink will happily alter binary files. The verify code
> in rpm undoes the prelinking for checking digests of binary files. I
> wonder if this can be done with the signatures, too. Otherwise prelink
> needs to be disabled for the whole signing to work (as I guess binaries
> are a primary target for signing)
Good point. The kernel currently doesn't support signature verification
of prelinked files. It looks like prelink is already disabled on Fedora
21, so this shouldn't be a major issue.
>
> Florian
>
>
-Fin
More information about the Rpm-maint
mailing list