[Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
Michal Domonkos
notifications at github.com
Thu Nov 21 16:05:26 UTC 2024
I've tried actually verifying an IMA signature made with rpm built from this branch, using the following steps:
```bash
$ cat x509_evm.genkey
# Begining of the file
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
O = Magrathea
CN = Glacier signing key
emailAddress = [slartibartfast at magrathea.h2g2](mailto:slartibartfast at magrathea.h2g2)
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
# EOF
$ openssl req -new -nodes -utf8 -sha256 -days 36500 -batch \
-x509 -config x509_evm.genkey \
-outform DER -out x509_evm.der -keyout privkey_evm.pem
$ rpmsign --addsign --signfiles --fskpath=./privkey_evm.pem foo.rpm
$ sudo rpm -Uhv ./foo.rpm
$ getfattr -m security.ima -d /path/to/file/from/foo.rpm
[...]
security.ima=<signature>
$ evmctl ima_verify --key x509_evm.der -v /path/to/file/from/foo.rpm
[...]
/path/to/file/from/foo.rpm: verification is OK
```
The `<signature>` that `getfattr` reports is the same whether the package is signed with rpm from master or from this branch, plus `evmctl` verifies it successfully.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2491647834
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/3458/c2491647834 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20241121/df07a3a9/attachment.htm>
More information about the Rpm-maint
mailing list