Re: Fedora 34 Change: Signed RPM Contents (late System-Wide Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jan 5, 2021 at 6:39 PM Neal Gompa <ngompa13@xxxxxxxxx> wrote:
>
> On Tue, Jan 5, 2021 at 1:05 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote:
> >
> > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
> >
> > Note that this change was submitted after the deadline, but since it can be shipped in an complete state, I am still processing it for Fedora 34.
> >
> >
> > == Summary ==
> > We want to add signatures to individual files that are part of shipped RPMs.
> > These signatures will use the Linux IMA (Integrity Measurement Architecture) scheme, which means they can be used to enforce runtime policies to ensure execution of only trusted files.
> >
> > == Owner ==
> > * Name: [[User:Puiterwijk| Patrick Uiterwijk]]
> > * Email: puiterwijk@xxxxxxxxxx
> > * Name: [[User:Pbrobinson| Peter Robinson]]
> > * Email: pbrobinson@xxxxxxxxx
> >
> >
> > == Detailed Description ==
> >
> > During signing builds, the files in it will be signed with IMA signatures..
> > These signatures will be made with a key that’s kept by the Fedora Infrastructure team, and installed on the sign vaults.
> >
> >
> > == Benefit to Fedora ==
> >
> > Having all files signed with a verifiable key means that system owners can use the kernel Integrity and Measurement Architecture (IMA) to enforce only verified files can be executed, or define other policies.
> >
> > == Scope ==
> > * Proposal owners:
> > The proposal owners will write the code for sigul to pass the required arguments, generate the keys in Infrastructure and get them deployed to the sign vaults.
> >
> > * Other developers:
> > Nothing needed from other developers
> >
> > * Release engineering:
> > A mass rebuild would be nice (as it ensures all packages are signed), but is not required to implement the change itself.
> >
>
> While having IMA is nice, can we *please* have repodata signing too?
> It's been asked many times over the past decade[1][2][3][4][5], and
> even if we don't enable it in our repo configuration files by default,
> it'd be great to have it optionally available for users to leverage.

This is completely unrelated please don't try and derail the topic.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux