On Tue, Jan 5, 2021, at 1:05 PM, Ben Cotton wrote: > > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents There's a bunch of related discussion in https://github.com/coreos/rpm-ostree/issues/1883 I think probably rather than having RPMs *also* include IMA signatures by default it'd be better to document/support tooling to implement the model of "add local signatures from a local key" that hooks into an unpacking procedure from tools like dnf/rpm-ostree, as well as podman. For all 3 the obvious thing to do is basically have a policy that "bridges" upstream transport integrity signatures (GPG) into signing with a local key. Basically all 3 would want a config file like: ``` $ cat > /etc/containers/storage.conf << EOF [ima] key=kernel-keyring://... ``` That'd be better because it would also apply to not-RPM sources and also better match what one needs to do for a truly "sealed" system as noted in that rpm-ostree issue where the system configuration is also locked, etc. AFAICS the documentation for IMA is...not great. I think this is related to its "meh" benefit with respect to security - we don't enable it by default because the benefit isn't really worth the cost in the general case. I found https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/enhancing-security-with-the-kernel-integrity-subsystem_managing-monitoring-and-updating-the-kernel but it's pretty sparse. The upstream docs https://sourceforge.net/p/linux-ima/wiki/Home/ of course suffer badly from the fact that they're generic to both distribution and software management system. I'm guessing based on the submitters at least some of this is intended to apply to an rpm-ostree based system? Would like to take some design if that's the case to that issue, but we can also discuss here. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx