On 11/28/24 2:26 AM, Isaiah Inuwa via packaging wrote:
I am interested in verifying files from packages installed from Fedora's repos. (For context this is related to determining allowed origins for various applications using a new WebAuthn API.) Are there any further docs on verifying signatures?
Depends on what kind of verification you're after.
Simple 'rpm -Va' will verify all files according to their SHA256 hash,
which reside inside the signed header, signature that rpm verifies on
every rpmdb query. Which gives you signature strength verification of
the files contents.
IMA on the other hand is an extra level of protection to *prevent* you
from running modified content.
- Panu -
--
_______________________________________________
packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
