On Tue, Jan 5, 2021 at 1:05 PM Ben Cotton <bcotton(a)redhat.com> wrote:
https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
Note that this change was submitted after the deadline, but since it can be shipped in an
complete state, I am still processing it for Fedora 34.
== Summary ==
We want to add signatures to individual files that are part of shipped RPMs.
These signatures will use the Linux IMA (Integrity Measurement Architecture) scheme,
which means they can be used to enforce runtime policies to ensure execution of only
trusted files.
== Owner ==
* Name: [[User:Puiterwijk| Patrick Uiterwijk]]
* Email: puiterwijk(a)redhat.com
* Name: [[User:Pbrobinson| Peter Robinson]]
* Email: pbrobinson(a)gmail.com
== Detailed Description ==
During signing builds, the files in it will be signed with IMA signatures..
These signatures will be made with a key that’s kept by the Fedora Infrastructure team,
and installed on the sign vaults.
== Benefit to Fedora ==
Having all files signed with a verifiable key means that system owners can use the kernel
Integrity and Measurement Architecture (IMA) to enforce only verified files can be
executed, or define other policies.
== Scope ==
* Proposal owners:
The proposal owners will write the code for sigul to pass the required arguments,
generate the keys in Infrastructure and get them deployed to the sign vaults.
* Other developers:
Nothing needed from other developers
* Release engineering:
A mass rebuild would be nice (as it ensures all packages are signed), but is not required
to implement the change itself.
While having IMA is nice, can we *please* have repodata signing too?
It's been asked many times over the past decade[1][2][3][4][5], and
even if we don't enable it in our repo configuration files by default,
it'd be great to have it optionally available for users to leverage.
[1]:
https://pagure.io/releng/issue/1501
[2]:
https://pagure.io/koji/issue/835
[3]:
https://pagure.io/pungi/issue/506
[4]:
https://pagure.io/releng/issue/133
[5]:
https://pagure.io/fedora-infrastructure/issue/9436
--
真実はいつも一つ!/ Always, there's only one truth!