On Tue, Jan 12, 2021 at 8:21 PM Brian C. Lane <bcl(a)redhat.com> wrote:
On Tue, Jan 05, 2021 at 01:05:01PM -0500, Ben Cotton wrote:
>
https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
>
> Note that this change was submitted after the deadline, but since it can be
> shipped in an complete state, I am still processing it for Fedora 34.
>
>
> == Summary ==
> We want to add signatures to individual files that are part of shipped RPMs.
> These signatures will use the Linux IMA (Integrity Measurement
> Architecture) scheme, which means they can be used to enforce runtime
> policies to ensure execution of only trusted files.
Who is going to use this feature? My guess is a very limited set of
users, so it seems unfair to dramatically increase the size of their
downloads and install footprint to support something they don't use.
Can't they be shipped on the side? An rpm of signatures that's
optionally installed would be more user friendly.
Also, I (being unfamiliar with IMA), don't see how this is any better
than trusting the file hash signed by the fedora keys that we currently
have.
I wasn't aware the current rpm has functionality integrated with
kernel/tpm and other functionality to do it at runtime access of the
files, I thought it was more an audit style use case such as rpm -V to
see if something had changed. IMA is more about being able to check at
runtime and setting policies of what to do if something has changed.