On Thu, Jan 6, 2022 at 5:17 AM Patrick マルタインアンドレアス Uiterwijk <puiterw...@redhat.com> wrote: > > - How do I generate my own new keypair so I can IMA-sign an RPM? > > You can generate the key with the standard OpenSSL commands. > For example, an RSA key can be generated like: > openssl genrsa | openssl pkcs8 -topk8 -nocrypt -outform DER -out > privatekey.der > > (do note that the key will need to be in DER format).
Thanks for these tips. rpm-sign complains when I use a DER-formatted key. I switched to a regular PEM-formatted key file, and that works. Looking at libimaevm's read_priv_pkey(), it checks for a "pkcs11:" URI, and if it doesn't find that string prefix, it just calls fopen and PEM_read_PrivateKey. Reading rpm_head_signing/verify_rpm.py it looks like you're sending a DER-formatted file to "evmctl ima_verify". I guess that's where the DER format comes in? Something else I'm wondering: rpmsign writes those four-byte "keyid" values to my FILESIGNATURE entries even if I don't have a public cert at all. How does it do that? I see verify_rpm.py checks the RPM's keyid values against the final four bytes of a sha1 of a public certificate, but what if I haven't generated that yet? Also, on Rawhide, rpmsign fails with an error in EVP_PKEY_sign. Example with a random SRPM: rpmsign --addsign --define "_gpg_name secur...@example.com" --signfiles --fskpath privatekey.pem bash-5.1.8-3.fc36.src.rpm bash-5.1.8-3.fc36.src.rpm: hash(sha1): 9958fb4ee30415c75bd992982ac1463c6ff6ce739e00aaf7d7ad992feb0b40f1 sign_hash_v2: signing failed: (invalid digest length) in EVP_PKEY_sign openssl: error:1C8000A6:Provider routines::invalid digest length error: sign_hash failed error: signFile failed Since this works on CentOS Stream 9, I updated my Rawhide test environment from ima-evm-utils-1.3.2-4.fc36 to the version in CentOS 9 Stream (ima-evm-utils-1.4-4), then rebuilt rpm-4.17.0-4.fc36 against the newer libimaevm.so.3.0.0, and then I could use --signfiles in Rawhide. My builds are at https://fedorapeople.org/~ktdreyer/ima/ . I think the next step is to get ima-evm-utils 1.4 into Fedora. - Ken _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
