https://ima-doc.readthedocs.io/en/latest/index.html I'm trying to pull together and maintain up-to-date IMA documentation. I don't have anything on user level verification because IMA does it (appraisal) in the kernel. 1. Maybe something in this doc will help. 2. Contributions are welcome. > -----Original Message----- > From: Kevin Fenzi via packaging <packaging@xxxxxxxxxxxxxxxxxxxxxxx> > Sent: Thursday, November 28, 2024 2:43 PM > To: Discussion of RPM packaging standards and practices for Fedora > <packaging@xxxxxxxxxxxxxxxxxxxxxxx> > Cc: Kevin Fenzi <kevin@xxxxxxxxx> > Subject: [EXTERNAL] [Fedora-packaging] Re: IMA Key Verification > > On Thu, Nov 28, 2024 at 12:26:37AM +0000, Isaiah Inuwa via packaging > wrote: > > I am interested in verifying files from packages installed from Fedora's repos. > (For context this is related to determining allowed origins for various > applications using a new WebAuthn API.) Are there any further docs on > verifying signatures? > > I don't think there's any fedora specific ones (but it would be great if someone > would write some up, perhaps as a quickdoc?) > > RHEL does have docs: > > https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/ht > ml/managing_monitoring_and_updating_the_kernel/enhancing-security- > with-the-kernel-integrity-subsystem_managing-monitoring-and-updating- > the-kernel > > (boy thats quite a long url, sorry) > > > > > From the Bugzilla linked in > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents, it looks like > you need to install rpm-plugin-ima, and then reinstall any packages so that the > signatures are written to the locally installed files. The spec page mentions IMA > keys being published on the Fedora security page, but only GPG keys are listed. > Are those the same keys used to generate the IMA signatures? > > You can find the certs in the fedora-gpg-keys package (both the ca and each > release ima) > > They are distributed as der files because thats what the ima tooling expects. I > am not sure how that could be represented on a web page. ;(
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- _______________________________________________ packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
