> From: Neal Gompa [mailto:ngompa13@xxxxxxxxx] > Sent: Saturday, January 1, 2022 3:47 PM > On Sat, Jan 1, 2022 at 5:51 AM Vitaly Zaitsev via devel > <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > On 31/12/2021 20:03, Nico Kadel-Garcia wrote: > > > Sounds like, if this is enabled, they'll need a GPG key associated > > > with their personal repository. > > > > Locally built packages are always unsigned. > > > > They don't have to be, but yes, by default they are. > > And note, you can already configure DNF to require GPG validation of > local packages by setting localpkg_gpgcheck=1 in dnf.conf. Hi everyone first, Happy New Year! I agree that if you are a developer, often installing new software for testing, this feature makes things harder. If you are installing software in the main system and running it as root, yes, you would have to install your GPG key (or the certificate of your RSA key) in the kernel keyring. And also, you should use rpmsign to sign your RPMs before you install them (assuming that you want IMA appraisal and not just measurement). If you are testing software as a regular user, then enforcing a policy only on root processes will not affect your work (you can test unsigned RPMs). This feature will not block VMs, so also there you can test things without restriction. Currently, IMA does not support per container policy (it is under development), but in the future you would be able to test things in a container without restriction, and by having full enforcement on the root container. Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Zhong Ronghua _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
