Re: [Rpm-maint] [rpm-software-management/rpm] RPMv6 proposal: treat IMA and fsverity signatures as part of the package (Issue #2200)
Closed #2200 as completed. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/2200#event-7436505023 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RPMv6 proposal: treat IMA and fsverity signatures as part of the package (Issue #2200)
That's how IMA signatures originally worked but I changed it because it violates rpm's principles. I'm quite aware having the current solution isn't optimal, but this isn't the solution. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/2200#issuecomment-1254590606 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] RPMv6 proposal: treat IMA and fsverity signatures as part of the package (Issue #2200)
In RPMv4, IMA and fsverity signatures are not considered part of the package, but of the signature. Therefore, they are included in the signature header (not the main header), which leads to various problems and increases attack surface. For RPMv6, I propose that they be considered part of the package itself, and so included in the main header. Adding IMA and fsverity signatures to a package would thus create a new package. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/2200 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint