[Rpm-maint] [rpm-software-management/rpm] Support IMA signing with PKCS#11 (Issue #4124)
Jeremy Cline
notifications at github.com
Tue Feb 24 18:34:41 UTC 2026
jeremycline created an issue (rpm-software-management/rpm#4124)
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is or what you are trying to do and can't (easily).
It's not currently possible to use the `rpmsign` tool with keys accessible via PKCS11 (for example, a hardware token like a yubikey).
**Describe the solution you'd like**
I would like to be able to do something like:
```bash
rpmsign --addsign --signfiles --fskpath "pkcs11:token=test-codesigning-key;id=%01;type=private" some.rpm
```
Most signing tools will accept a path or pkcs11 URI, but it's fine if it was a separate cli argument.
**Describe alternatives you've considered**
Historically, Fedora has sent the entire RPM to the signing server, written out the private key to a tmpfs, and then used rpmsign. This is unfortunate because it is a huge waste of bandwidth, means the server needs to be aware of rpmsign, and it also means Fedora depends on the version of rpm on the signing server, which is typically RHEL.
Supporting this would enable Fedora to move to using the rpmsign version that ships with Fedora.
**Additional context**
ima-evm-utils supports using both the deprecated OpenSSL engine and provider APIs, both of which can handle pkcs11. Instead of doing [IMAEVM_OSSL_ACCESS_TYPE_NONE](https://github.com/rpm-software-management/rpm/blob/480ad2864c89a8bc9b8dfb5fac58d9055a1ca8f5/sign/rpmsignfiles.cc#L58), rpmsign could do what [evmctl](https://github.com/linux-integrity/ima-evm-utils/blob/dc5969360a0439d225a0df386aeb2f4ab9f0661a/src/evmctl.c#L3248) does to use the provider.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/4124
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/4124 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20260224/6a3d4092/attachment.htm>
More information about the Rpm-maint
mailing list