search

rpm-software-management / rpm-web

RPM web content
http://rpm.org
10 stars 24 forks source link

document FILESIGNATURES header #28

Closed ktdreyer closed 2 years ago

ktdreyer commented 2 years ago

https://rpm-software-management.github.io/rpm/manual/signatures_digests.html does not mention the new FILESIGNATURES header that @puiterwijk mentioned recently on fedora-devel.

Would you mind adding that header to that page? I am not sure what values to put into all the columns.

pmatilai commented 2 years ago

The reason it's not there is that it does not apply. That page lists all the signatures and digests that rpm verifies, but IMA and fs-verify signatures are just opaque data to rpm.

pmatilai commented 2 years ago

Clarified the table explanation a bit: https://github.com/rpm-software-management/rpm/commit/002b9741d1aee22816ea9eba987d1dcb01f202ac

ktdreyer commented 2 years ago

Background: I'm a noob to IMA and RPM internals. I'm just trying to understand if/how Koji ought to track IMA signatures, and how I might add such a feature to to Koji. In the meantime I'm documenting how Koji currently handles IMA signatures at the bottom of https://docs.pagure.org/koji/signing/

I cannot find any documentation on RPM's FILESIGNATURES header at all, so that is why I suggested adding something to https://rpm-software-management.github.io/rpm/manual/signatures_digests.html

What if we added a second table (or even just a paragraph) to that page to explain what a FILESIGNATURES header is?

dralley commented 10 months ago

@pmatilai I'd also like this to be reopened and documented a bit more

Even in terms of user-facing stuff, the documentation is a bit lacking. Of particular interest to me is why it seems like you can't use --signfiles with a standard PGP key, but instead have to go through a bunch of extra steps to convert the key, and then provide it in a different way as the standard header signing key.

That is, this doesn't work:

rpmsign --define "_gpg_name rpm-signing-key-rsa4096" --addsign ../ima_signed.rpm --define "_file_signing_key rpm-signing-key-rsa4096" --signfiles

Because _file_signing_key expects to be a path and not a GPG key name, and as far as I can see it also needs to be in PEM format, which GPG doesn't natively support, so you have to convert it...

Now, I assume the reason for this is just "because that's how the IMA subsystem for Linux works" and RPM just has to deal with the fact that the way it works different from RPM signing. But it's not really stated directly anywhere. Actually, the best guide on how to IMA sign an RPM comes from this random gist