On Tue, Jan 5, 2021 at 1:05 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote: > > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents > > Note that this change was submitted after the deadline, but since it can be shipped in an complete state, I am still processing it for Fedora 34. > > > == Summary == > We want to add signatures to individual files that are part of shipped RPMs. > These signatures will use the Linux IMA (Integrity Measurement Architecture) scheme, which means they can be used to enforce runtime policies to ensure execution of only trusted files. > > == Owner == > * Name: [[User:Puiterwijk| Patrick Uiterwijk]] > * Email: puiterwijk@xxxxxxxxxx > * Name: [[User:Pbrobinson| Peter Robinson]] > * Email: pbrobinson@xxxxxxxxx > > > == Detailed Description == > > During signing builds, the files in it will be signed with IMA signatures.. > These signatures will be made with a key that’s kept by the Fedora Infrastructure team, and installed on the sign vaults. > > > == Benefit to Fedora == > > Having all files signed with a verifiable key means that system owners can use the kernel Integrity and Measurement Architecture (IMA) to enforce only verified files can be executed, or define other policies. > > == Scope == > * Proposal owners: > The proposal owners will write the code for sigul to pass the required arguments, generate the keys in Infrastructure and get them deployed to the sign vaults. > > * Other developers: > Nothing needed from other developers > > * Release engineering: > A mass rebuild would be nice (as it ensures all packages are signed), but is not required to implement the change itself. > While having IMA is nice, can we *please* have repodata signing too? It's been asked many times over the past decade[1][2][3][4][5], and even if we don't enable it in our repo configuration files by default, it'd be great to have it optionally available for users to leverage. [1]: https://pagure.io/releng/issue/1501 [2]: https://pagure.io/koji/issue/835 [3]: https://pagure.io/pungi/issue/506 [4]: https://pagure.io/releng/issue/133 [5]: https://pagure.io/fedora-infrastructure/issue/9436 -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
