From 162ed1ae85bb2b8f2433ceee1cec2147922780ae Mon Sep 17 00:00:00 2001
From: Tomas Kopecek <tkopecek@redhat.com>
Date: Jan 07 2022 11:46:20 +0000
Subject: PR#3206: doc: explain IMA signing vs usual RPM signing


Merges #3206
https://pagure.io/koji/pull-request/3206

---

diff --git a/docs/source/signing.rst b/docs/source/signing.rst
index 71eecdc..cbc101f 100644
--- a/docs/source/signing.rst
+++ b/docs/source/signing.rst
@@ -179,3 +179,15 @@ Another reason this is important is for image-based artifacts that might use
 many RPMs. If you think of cloud images or container images where you're
 delivering an image with "preinstalled" RPMs, if you use signed RPMs in the
 images you distribute, you're providing an extra layer of security.
+
+How do RPM signatures relate to IMA signing?
+--------------------------------------------
+
+IMA stands for `"Integrity Measurement Architecture"
+<https://www.redhat.com/en/blog/how-use-linux-kernels-integrity-measurement-architecture>`_.
+It's a separate type of signature. RHEL-9 is the first release to have IMA
+signing enabled. The change is still `under discussion
+<https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents>`_ for Fedora.
+
+IMA does not replace RPM signing. RPM signing is orthogonal to IMA. Packages
+can be both RPM-signed and IMA signed at the same time.