On Thu, 2021-12-02 at 15:08 -0500, Frank Ch. Eigler wrote:
> === Relationship with IMA ===
>
> [
https://sourceforge.net/p/linux-ima/wiki/Home/ IMA] is another
> technology meant to provide detection of file alterations. IMA and
> fsverity operate very differently, and are somewhat complementary.
> [...]
Do these two systems use the same per-file signature metadata in the
RPMs?
Both fs-verity and IMA use file signatures, but they each have their
own dedicated flags and signing flows in RPM (e.g. see
https://github.com/rpm-software-management/rpm/blob/4afe2d14d33db82ccb41c...
for the signing implementation). The signatures themselves are not
interchangeable -- fs-verity's signature is based off the Merkle tree
(which itself is block-based), while IMA measures the file as a whole.
Cheers
Davide