Yes: resign changed files after installation with a local private key managed
however you wish outside of rpm. You will still have the ability to use the
original ima signature/pub key distributed within the rpm header, but resigning
locally permits removal of false positives on mutable %config/%ghost files.
My comment about per-file masking (with patterns if you must) was more a
criticism of using rpm configuration disablers. One-size-fits-all with a
per-system switch is sometimes too little control for what is intrinsically a
per-file parameter. If you convolve secure audits with rpm parameters (like
--no signatures), then a rational audit also needs to keep track of rpm
parameters used while installing.
A per-file AND mask would be best implemented in rpmfiFFlags() as part of rpm.
Meanwhile, just disabling %config when building on embedded devices (the
rationale given in #364) is an alternative to your proposed per-system switch.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/374#issuecomment-364676206
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint