Re: Fedora 34 Change: Signed RPM Contents (late System-Wide Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On Tue, Jan 5, 2021, at 1:05 PM, Ben Cotton wrote:
> 
> https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents

There's a bunch of related discussion in https://github.com/coreos/rpm-ostree/issues/1883

I think probably rather than having RPMs *also* include IMA signatures by default it'd be better to document/support tooling to implement the model of "add local signatures from a local key" that hooks into an unpacking procedure from tools like dnf/rpm-ostree, as well as podman.  For all 3 the obvious thing to do is basically have a policy that "bridges" upstream transport integrity signatures (GPG) into signing with a local key.

Basically all 3 would want a config file like:
```
$ cat > /etc/containers/storage.conf << EOF
[ima]
key=kernel-keyring://...
```

That'd be better because it would also apply to not-RPM sources and also better match what one needs to do for a truly "sealed" system as noted in that rpm-ostree issue where the system configuration is also locked, etc.

AFAICS the documentation for IMA is...not great.  I think this is related to its "meh" benefit with respect to security - we don't enable it by default because the benefit isn't really worth the cost in the general case.

I found
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/enhancing-security-with-the-kernel-integrity-subsystem_managing-monitoring-and-updating-the-kernel
but it's pretty sparse.  The upstream docs
https://sourceforge.net/p/linux-ima/wiki/Home/
of course suffer badly from the fact that they're generic to both distribution and software management system.

I'm guessing based on the submitters at least some of this is intended to apply to an rpm-ostree based system?  Would like to take some design if that's the case to that issue, but we can also discuss here.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux