On Thu, 2022-01-06 at 10:16 +0000, Patrick マルタインアンドレアス Uiterwijk wrote: > Hi Ken, > > > > > I want to add "intro to IMA signing" instructions to > > https://docs.pagure.org/koji/signing/ . I wrote a basic PR at > > https://pagure.io/koji/pull-request/3206 but it lacks technical > > details. > > That'd be cool! > > > > > - How do I generate my own new keypair so I can IMA-sign an RPM? > > You can generate the key with the standard OpenSSL commands. > For example, an RSA key can be generated like: > openssl genrsa | openssl pkcs8 -topk8 -nocrypt -outform DER -out privatekey.der Just a heads-up that genrsa is deprecated and genpkey -algorithm RSA (or better RSA-PSS) should be used instead (genrsa will simply fail in FIPS mode for example). Simo. > (do note that the key will need to be in DER format). > > You can then generate a corresponding (self-signed) certificate for validation with: > > openssl req -x509 -key privatekey.der -out certificate.pem -days 365 -keyform DER > > > > > - Can I use my existing GPG keypair? > > Mathematically, yes. Practically, no. > The key format RPM (libimaevm) reads for signing is DER, so you'd have to convert the actual key bits from the GPG format to DER. > > > > > - How do I IMA-sign files in an RPM locally (apart from Koji)? (Is it > > the --signfiles option from rpmsign(8)?) > > Yes, it's the --signfiles option. > > > > > - How do I inspect the IMA signatures on an existing RPM? > > The signatures are stored in the FILESIGNATURES rpm sighdr (with tag RPMTAG_SIG_BASE + 18, so 274), as a hex-encoded string array. > I have some code for reading and parsing the signatures at https://github.com/fedora-iot/rpm-head-signing/blob/main/rpm_head_signing/extract_rpm_with_filesigs.py . > > > > > - When I gpg-sign an RPM with "Key A" and IMA-sign an RPM with "Key > > B", does Koji "know" about Key B at all? > > Koji at this moment does not look at or touch the FILESIGNATURES header. > It copies it into its signature store (because the tag is in the sighdr), and will re-insert it into the resulting RPM, but it has no clue it's even there. > This also means that the RPMs that are signed with {rpm_key=keyA, ima_key=keyB} and {rpm_key=keyA, ima_key=keyC} are seen as having the same signature, and thus would result in the hub rejecting the new signature until the old one gets removed. > It would absolutely be useful to have this information also stored in koji and a part of the index for the signatures, but that hasn't been done yet. > > Patrick > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
