Hi Russell, > For typical uses of Linux you would want pre-signed executables. You want to > have the system running the programs to not have the signing key and provide > the signatures from a trusted system. > > I've been thinking of having some sort of system that proxies the packages of > software and creates signatures for them. The default signing includes the > Inode number of the file, that can be disabled or the system installing could > say "give me a signature for /bin/bash from package bash version 5.2~rc2-2 > with Inode 27597791". EVM portable & immutable signatures do not include the inode. > > The next issue is that the current kernel code doesn't allow signing unsigned > files unless you boot with "ima_appraise=fix evm=fix" on the kernel command- > line. I've been thinking of writing a kernel patch to give a compile time > option to remove that requirement. When EVM is initialized to only support portable & immutable signatures (no HMAC key), then the file metadata may be updated. Refer to the last paragraph of the cover letter: https://lore.kernel.org/linux-integrity/20210514152753.982958-1-roberto.sassu@xxxxxxxxxx/ -- thanks, Mimi
