On Tue, Jan 5, 2021 at 1:39 PM Neal Gompa <ngomp...@gmail.com> wrote: > > On Tue, Jan 5, 2021 at 1:05 PM Ben Cotton <bcot...@redhat.com> wrote: > > > > https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents > > > > Note that this change was submitted after the deadline, but since it can be > > shipped in an complete state, I am still processing it for Fedora 34. > > > > > > == Summary == > > We want to add signatures to individual files that are part of shipped RPMs. > > These signatures will use the Linux IMA (Integrity Measurement > > Architecture) scheme, which means they can be used to enforce runtime > > policies to ensure execution of only trusted files. > > > > == Owner == > > * Name: [[User:Puiterwijk| Patrick Uiterwijk]] > > * Email: puiterw...@redhat.com > > * Name: [[User:Pbrobinson| Peter Robinson]] > > * Email: pbrobin...@gmail.com > > > > > > == Detailed Description == > > > > During signing builds, the files in it will be signed with IMA signatures.. > > These signatures will be made with a key that’s kept by the Fedora > > Infrastructure team, and installed on the sign vaults. > > > > > > == Benefit to Fedora == > > > > Having all files signed with a verifiable key means that system owners can > > use the kernel Integrity and Measurement Architecture (IMA) to enforce only > > verified files can be executed, or define other policies. > > > > == Scope == > > * Proposal owners: > > The proposal owners will write the code for sigul to pass the required > > arguments, generate the keys in Infrastructure and get them deployed to the > > sign vaults. > > > > * Other developers: > > Nothing needed from other developers > > > > * Release engineering: > > A mass rebuild would be nice (as it ensures all packages are signed), but > > is not required to implement the change itself. > > > > While having IMA is nice, can we *please* have repodata signing too? > It's been asked many times over the past decade[1][2][3][4][5], and > even if we don't enable it in our repo configuration files by default, > it'd be great to have it optionally available for users to leverage.
I'd suggest starting a separate thread on this, or better, create a separate Change. josh _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
