#2779 Change proposal: Signed RPM Contents
Closed: Accepted 3 months ago by kevin. Opened 3 months ago by bcotton.

We want to add signatures to individual files that are part of shipped RPMs.

These signatures will use the Linux IMA (Integrity Measurement Architecture) scheme, which means they can be used to enforce runtime policies to ensure execution of only trusted files.

Is there any data on how this will impact koji build times?

It should have no impact at all on build times. Signing is done after builds are complete, at the same time rpm signing happens.


Let's see if this blows up sigul/robosignatory during the F37 mass rebuild :)

From @puiterwijk "insignificant amounts of time. It's an ECDSA signature with a key that's loaded once, operating on just the header."

After a week, the vote is

APPROVED (+4,0,-0)

Metadata Update from @bcotton:
- Issue tagged with: pending announcement

3 months ago

Metadata Update from @kevin:
- Issue close_status updated to: Accepted
- Issue status updated to: Closed (was: Open)

3 months ago

Login to comment on this ticket.