releng

Clone
Source Code
GIT

#11620 Some packages are missing IMA file signatures
Closed: Fixed 2 years ago by humaton. Opened 2 years ago by ksrot.

Closed: Fixed
Reopen Issue
  • Describe the issue

Some packages in Fedora 38 don't seem to carry IMA file signatures.

With the rpm-plugin-ima installed on my system I get file signatures installed for most files but not all of them. Some packages I found without IMA file signatures are:

jq-1.6-15.fc38.x86_64.rpm
gpgme-1.17.1-3.fc38.x86_64
uresourced-0.5.3-2.fc37.x86_64 ; F37 package that should be rebuilt
guile-2.0.14-30.fc38.x86_64
fcoe-utils-1.0.34-3.gitb233050.fc37.x86_64 ; F37 package ...

Reproducible: Always

Steps to Reproduce:
1. dnf -y install rpm-plugin-ima
2. dnf -y install jq
3. getfattr -m ^sec -e hex --dump /usr/bin/jq

The last command returns nothing for security.ima

Actual Results:

getfattr -m ^security -e hex --dump /usr/bin/jq

getfattr: Removing leading '/' from absolute path names

file: usr/bin/jq

security.selinux=0x73797374656d5f753a6f626a6563745f723a62696e5f743a733000

Expected Results:
There should be a security.ima xattr.

Other way to find unsigned files:

getfattr -m ^security -e hex --dump /usr/bin/ | grep -v security.selinux | less

This has been previously reported as
https://bugzilla.redhat.com/show_bug.cgi?id=2231396

  • When do you need this? (YYYY/MM/DD)
    Not urgent but please fix this at least for F38 packages.

  • When is this no longer needed or useful? (YYYY/MM/DD)
    After F38 EOL

  • If we cannot complete your request, what is the impact?
    Users won't be able to utilize IMA file signatures for system attestation.

Yes, I saw the report but have not had time to investigate yet.

The packages that were not rebuilt don't have signatures because they were built before we enabled that, but I am not sure on others.

The not rebuilt ones will need their FTBFS bugs fixed and rebuilt.

Metadata Update from @phsmoura:
- Issue tagged with: low-gain, low-trouble, ops
2 years ago

Metadata Update from @humaton:
- Issue untagged with: low-gain, low-trouble
- Issue assigned to humaton
- Issue tagged with: medium-gain, medium-trouble
2 years ago

Few git cherry-pick commands for FTBFS and here is the update that should fix this https://bodhi.fedoraproject.org/updates/FEDORA-2023-900f17dd9c

The update is going to stable, closing.

Metadata Update from @humaton:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
2 years ago

Log in to comment on this ticket.

Metadata

ops medium-gain medium-trouble

None
None
None
None
None
None
Boards 1
Ops Status: Backlog
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.