[Rpm-maint] [PATCH v9 00/13] RPM: include and install file signatures
Fionnuala Gunter
fionnuala.gunter at gmail.com
Tue Jul 21 17:00:34 UTC 2015
From: Fionnuala Gunter <fin.gunter at hypori.com>
Hi Lubos,
Mimi added support for pass phrase passing. Let us know if anything needs to be changed.
-Fin
---
IMA-appraisal, upstreamed in linux-3.7, enforces local file
integrity based on a known 'good' value stored as an extended
attribute 'security.ima'. Labeling the filesystem is currently done
post install using a local private key. Including file signatures
in the package provides not only file integrity, but file
provenance.
This patch set extends the existing rpm signing tool to include file
signatures in packages, and adds a plugin that installs file
signatures using the psm_post hook.
There are new options to rpmsign - signfiles and fskpath.
rpm --addsign [--signfiles [--fskpath <file signing key>]]
PACKAGE_FILE ...
Signfiles signs all the file digests included in the package with
libimaevm and stores the signatures in the package header under the
tag RPMTAG_FILESIGNATURES. The file signing key can be provided with
the option fskpath, or in a macro file with %_file_signing_key.
After including file signatures, the packages are signed normally.
When a package with signed files is installed, rpmfilesPopulate
extracts file signatures from the package header and stores them (in
binary) in rpmfiles struct. Then the ima plugin instantiates the
psm_post hook and writes the file signatures to security.ima xattr.
Mimi Zohar (2):
Add support for passing the file signing key password
Add support for prompting the user for the password using pinentry
fin at linux.vnet.ibm.com (11):
Refactor copyFile to not close files
Export generateSignature
Add rpmtags for file signatures and their length
Subroutine for dumping immutable region of header
Add support for file signatures to rpmfi and rpmfiles
Configure option to build with imaevm support
Sign file digests and store signatures in header
Add file signature support to rpmsign command
Add file signature support to package signing
IMA plugin labels ima xattr with file signatures
Documentation for file signing
build/pack.c | 90 +---------------
configure.ac | 9 ++
doc/rpmsign.8 | 24 ++++-
lib/Makefile.am | 4 +
lib/rpmfi.c | 44 +++++++-
lib/rpmfi.h | 8 ++
lib/rpmfiles.h | 10 ++
lib/rpmsignfiles.c | 294 ++++++++++++++++++++++++++++++++++++++++++++++++++++
lib/rpmsignfiles.h | 24 +++++
lib/rpmtag.h | 2 +
lib/signature.c | 87 ++++++++++++++++
lib/signature.h | 11 ++
macros.in | 1 +
plugins/Makefile.am | 4 +
plugins/ima.c | 51 +++++++++
rpmpopt.in | 1 +
rpmsign.c | 50 ++++++++-
sign/rpmgensig.c | 225 +++++++++++++++++++++++++++++++++++-----
sign/rpmsign.h | 1 +
tests/rpmgeneral.at | 2 +
20 files changed, 822 insertions(+), 120 deletions(-)
create mode 100644 lib/rpmsignfiles.c
create mode 100644 lib/rpmsignfiles.h
create mode 100644 plugins/ima.c
--
2.4.3
More information about the Rpm-maint
mailing list