I am interested in verifying files from packages installed from Fedora's repos. (For context this is related to determining allowed origins for various applications using a new WebAuthn API.) Are there any further docs on verifying signatures?
From the Bugzilla linked in https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents, it looks like you need to install rpm-plugin-ima, and then reinstall any packages so that the signatures are written to the locally installed files. The spec page mentions IMA keys being published on the Fedora security page, but only GPG keys are listed. Are those the same keys used to generate the IMA signatures?
Thanks for your help, Isaiah Inuwa
On Thu, Nov 28, 2024 at 12:26:37AM +0000, Isaiah Inuwa via packaging wrote:
I am interested in verifying files from packages installed from Fedora's repos. (For context this is related to determining allowed origins for various applications using a new WebAuthn API.) Are there any further docs on verifying signatures?
I don't think there's any fedora specific ones (but it would be great if someone would write some up, perhaps as a quickdoc?)
RHEL does have docs:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/man...
(boy thats quite a long url, sorry)
From the Bugzilla linked in https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents, it looks like you need to install rpm-plugin-ima, and then reinstall any packages so that the signatures are written to the locally installed files. The spec page mentions IMA keys being published on the Fedora security page, but only GPG keys are listed. Are those the same keys used to generate the IMA signatures?
You can find the certs in the fedora-gpg-keys package (both the ca and each release ima)
They are distributed as der files because thats what the ima tooling expects. I am not sure how that could be represented on a web page. ;(
https://ima-doc.readthedocs.io/en/latest/index.html
I'm trying to pull together and maintain up-to-date IMA documentation. I don't have anything on user level verification because IMA does it (appraisal) in the kernel.
1. Maybe something in this doc will help. 2. Contributions are welcome.
-----Original Message----- From: Kevin Fenzi via packaging packaging@lists.fedoraproject.org Sent: Thursday, November 28, 2024 2:43 PM To: Discussion of RPM packaging standards and practices for Fedora packaging@lists.fedoraproject.org Cc: Kevin Fenzi kevin@scrye.com Subject: [EXTERNAL] [Fedora-packaging] Re: IMA Key Verification
On Thu, Nov 28, 2024 at 12:26:37AM +0000, Isaiah Inuwa via packaging wrote:
I am interested in verifying files from packages installed from Fedora's
repos.
(For context this is related to determining allowed origins for various applications using a new WebAuthn API.) Are there any further docs on verifying signatures?
I don't think there's any fedora specific ones (but it would be great if
someone
would write some up, perhaps as a quickdoc?)
RHEL does have docs:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/ht ml/managing_monitoring_and_updating_the_kernel/enhancing-security- with-the-kernel-integrity-subsystem_managing-monitoring-and-updating- the-kernel
(boy thats quite a long url, sorry)
From the Bugzilla linked in
https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents, it looks like you need to install rpm-plugin-ima, and then reinstall any packages so
that the
signatures are written to the locally installed files. The spec page
mentions IMA
keys being published on the Fedora security page, but only GPG keys are
listed.
Are those the same keys used to generate the IMA signatures?
You can find the certs in the fedora-gpg-keys package (both the ca and
each
release ima)
They are distributed as der files because thats what the ima tooling
expects. I
am not sure how that could be represented on a web page. ;(
On 11/28/24 2:26 AM, Isaiah Inuwa via packaging wrote:
I am interested in verifying files from packages installed from Fedora's repos. (For context this is related to determining allowed origins for various applications using a new WebAuthn API.) Are there any further docs on verifying signatures?
Depends on what kind of verification you're after.
Simple 'rpm -Va' will verify all files according to their SHA256 hash, which reside inside the signed header, signature that rpm verifies on every rpmdb query. Which gives you signature strength verification of the files contents.
IMA on the other hand is an extra level of protection to *prevent* you from running modified content.
- Panu -
packaging@lists.fedoraproject.org