Learn more about these different git repos.
Other Git URLs
Please review the following system wide change: https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents
This needs rel-eng engagement. A mass rebuild would ensure that all packages have the capability and if there's a mass rebuild scheduled for the release This has been enabling temporarily in the past so the overall process is now understood and generally in place
Metadata Update from @mohanboddu: - Issue tagged with: low-trouble, medium-gain, ops
Metadata Update from @humaton: - Issue tagged with: changes, f37
We over in debuginfod land have been building extensions to support this IMA signing data for purpose of download verification. We'd love to start testing this code ASAP, against F37 RPMs, or also against the older IMA-signed ones that were experimental for F34 IIRC. Can someone help us find some of those old RPMs, and also the signing certificate one can use to verify them at the client?
https://fedoraproject.org/wiki/Debuginfod
f37 rpms from the mass rebuild (and after) are all using ima now. ;)
I'm not sure we have any of the old ones around... koji deletes old signed copies if they aren't in a active tag. ;(
I am not sure where to get the cert. Perhaps @puiterwijk could comment?
We do need to publish the keys, both in the local install in /etc/pki/ somewhere and on https://getfedora.org/security/. @kevin is the location of the pub key covered in the SOP as @puiterwijk did confirm to me he verified the SOP was correct as part of creating the f37 key
We do need to publish the keys, both in the local install in /etc/pki/ somewhere and on https://getfedora.org/security/. We need to make sure those bits are covered in the SOP, we can probably get the F38 key ready anytime given we'll be branching soon.
The f37 rpm-signing key is not the same as the f37 rpm-ima-content signing key?
The fedora-37-ima public key is:
-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUJgjZN51PqCtiIaojEavQKVvVZBh tlKYBm28pwoX08tEInocFxJG5iuMPX7eti8jKtRn4MsMEpM7s16GjMKKoQ== -----END PUBLIC KEY-----
Correct, the fedora-37 key and the fedora-37-ima keys are two distinct things.
That's the shortest public key I've ever seen (and gpg --import rejects it). I believe the kernel machinery (and definitely debuginfod) would prefer the more original (?) x509 .crt to work from instead, if possible.
That's the shortest public key I've ever seen (and gpg --import rejects it).
It's not a gpg pub key.
To follow up on this thread, would it be possible to release the entire verification X.509 certificate as well? Some of the tooling in ima-evm-utils requires a certificate for signature verification.
And is there a timeline for when these keys will be published to https://getfedora.org/security/ Thanks
Contents are signed closing.
Metadata Update from @humaton: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Paul, can you please explain how we can confirm this? fedora-devel@ threads from a month ago indicated that fresh F37 rpms installed with rpm-plugin-ima already there do not seem to result in any getfattr -m - -d FILE IMA-related output.
getfattr -m - -d FILE
And where can one find the signing key, such as on https://getfedora.org/security/ ?
% rpm -q --qf='[%{FILESIGNATURES}\n]' PACKAGE
on fedora 37, whether a downloaded fresh rpm from koji such as exim-4.96-5.fc37.aarch64.rpm, or an already installed rpm such as bash-5.2.2-1.fc37.x86_64, is EMPTY. Please confirm that this file signature rpmsigning is actually done before closing this issue.
Login to comment on this ticket.