Re: IMA signing questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jan 6, 2022 at 5:17 AM Patrick マルタインアンドレアス Uiterwijk
<puiterwijk@xxxxxxxxxx> wrote:
> > - How do I generate my own new keypair so I can IMA-sign an RPM?
>
> You can generate the key with the standard OpenSSL commands.
> For example, an RSA key can be generated like:
> openssl genrsa | openssl pkcs8 -topk8 -nocrypt -outform DER -out privatekey.der
>
> (do note that the key will need to be in DER format).

Thanks for these tips.

rpm-sign complains when I use a DER-formatted key. I switched to a
regular PEM-formatted key file, and that works. Looking at libimaevm's
read_priv_pkey(), it checks for a "pkcs11:" URI, and if it doesn't
find that string prefix, it just calls fopen and PEM_read_PrivateKey.

Reading rpm_head_signing/verify_rpm.py it looks like you're sending a
DER-formatted file to "evmctl ima_verify". I guess that's where the
DER format comes in?

Something else I'm wondering: rpmsign writes those four-byte "keyid"
values to my FILESIGNATURE entries even if I don't have a public cert
at all. How does it do that? I see verify_rpm.py checks the RPM's
keyid values against the final four bytes of a sha1 of a public
certificate, but what if I haven't generated that yet?

Also, on Rawhide, rpmsign fails with an error in EVP_PKEY_sign.
Example with a random SRPM:

rpmsign --addsign --define "_gpg_name security@xxxxxxxxxxx"
--signfiles --fskpath privatekey.pem bash-5.1.8-3.fc36.src.rpm
bash-5.1.8-3.fc36.src.rpm:
hash(sha1): 9958fb4ee30415c75bd992982ac1463c6ff6ce739e00aaf7d7ad992feb0b40f1
sign_hash_v2: signing failed: (invalid digest length) in EVP_PKEY_sign
openssl: error:1C8000A6:Provider routines::invalid digest length
error: sign_hash failed
error: signFile failed

Since this works on CentOS Stream 9, I updated my Rawhide test
environment from ima-evm-utils-1.3.2-4.fc36 to the version in CentOS 9
Stream (ima-evm-utils-1.4-4), then rebuilt rpm-4.17.0-4.fc36 against
the newer libimaevm.so.3.0.0, and then I could use --signfiles in
Rawhide. My builds are at https://fedorapeople.org/~ktdreyer/ima/ .

I think the next step is to get ima-evm-utils 1.4 into Fedora.

- Ken
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux