[Rpm-maint] [rpm-software-management/rpm] Also apply signatures to config files (#374)

Jeff Johnson notifications at github.com
Sat Feb 10 17:56:25 UTC 2018


Yes: resign changed files after installation with a local private key managed however you wish outside of rpm. You will still have the ability to use the original ima signature/pub key distributed within the rpm header, but resigning locally permits removal of false positives on mutable %config/%ghost files.

My comment about per-file masking (with patterns if you must) was more a criticism of using rpm configuration disablers. One-size-fits-all with a per-system switch is sometimes too little control for what is intrinsically a per-file parameter.  If you convolve secure audits with rpm parameters (like --no signatures), then a rational audit also needs to keep track of rpm parameters used while installing.

A per-file AND mask would be best implemented in rpmfiFFlags() as part of rpm.

Meanwhile, just disabling  %config when building on embedded devices (the rationale given in #364) is an alternative to your proposed per-system switch.



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/374#issuecomment-364676206
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20180210/90c0727f/attachment.html>


More information about the Rpm-maint mailing list