On Tue, Jan 5, 2021 at 1:05 PM Ben Cotton <bcotton(a)redhat.com> wrote:
>
>
https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
>
> Note that this change was submitted after the deadline, but since it can be shipped
in an complete state, I am still processing it for Fedora 34.
>
>
> == Summary ==
> We want to add signatures to individual files that are part of shipped RPMs.
> These signatures will use the Linux IMA (Integrity Measurement Architecture) scheme,
which means they can be used to enforce runtime policies to ensure execution of only
trusted files.
>
> == Owner ==
> * Name: [[User:Puiterwijk| Patrick Uiterwijk]]
> * Email: puiterwijk(a)redhat.com
> * Name: [[User:Pbrobinson| Peter Robinson]]
> * Email: pbrobinson(a)gmail.com
>
>
> == Detailed Description ==
>
> During signing builds, the files in it will be signed with IMA signatures..
> These signatures will be made with a key that’s kept by the Fedora Infrastructure
team, and installed on the sign vaults.
>
>
> == Benefit to Fedora ==
>
> Having all files signed with a verifiable key means that system owners can use the
kernel Integrity and Measurement Architecture (IMA) to enforce only verified files can be
executed, or define other policies.
>
> == Scope ==
> * Proposal owners:
> The proposal owners will write the code for sigul to pass the required arguments,
generate the keys in Infrastructure and get them deployed to the sign vaults.
>
> * Other developers:
> Nothing needed from other developers
>
> * Release engineering:
> A mass rebuild would be nice (as it ensures all packages are signed), but is not
required to implement the change itself.
>
While having IMA is nice, can we *please* have repodata signing too?
It's been asked many times over the past decade[1][2][3][4][5], and
even if we don't enable it in our repo configuration files by default,
it'd be great to have it optionally available for users to leverage.