Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RPMv6 proposal: treat IMA and fsverity signatures as part of the package #2200

Closed
DemiMarie opened this issue Sep 21, 2022 · 1 comment
Closed

RPMv6 proposal: treat IMA and fsverity signatures as part of the package #2200

DemiMarie opened this issue Sep 21, 2022 · 1 comment

Comments

@DemiMarie
Copy link
Contributor

In RPMv4, IMA and fsverity signatures are not considered part of the package, but of the signature. Therefore, they are included in the signature header (not the main header), which leads to various problems and increases attack surface. For RPMv6, I propose that they be considered part of the package itself, and so included in the main header. Adding IMA and fsverity signatures to a package would thus create a new package.
@pmatilai
Copy link
Member

pmatilai commented Sep 22, 2022
edited

That's how IMA signatures originally worked but I changed it because it violates rpm's principles.
I'm quite aware of the issue(s), but this isn't the solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pmatilai @DemiMarie