Re: [Rpm-maint] [rpm-software-management/rpm] Add support for fsverity signatures (#1121)
Here is a more detailed update on the design of the fsverity support I have been working on for rpm. I now have code which I believe works correctly, and I'd love some feedback on it. I am sure I got some things wrong. The code can be found in my cloned repo here[1] fsverity itself provides block-level checksumming of files in the file system, which can be signed and authenticated by a public key loaded into the kernel's public keyring. This allows the kernel to validate individual data blocks as they are read from the disk instead of having to validate the entire file's digest before allowing it to be opened. Instead of a regular digest, fsverity uses a Merkle tree, which is basically a tree of digests. For now only sha256 and sha512 are supported for calculating this tree. The fsverity signature authenticates the root of the Merkle tree, by signing an fsverity descriptor which contains the root digest. This API is defined by the kernel. The code to generate the fsverity descriptor, and the code to sign it, is provided by libfsverity from the fsverity-utils package[2][3]. There is no way to go from the regular digest to the Merkle tree, so the code parses the archive of the rpm to generate the signatures. As the file count of the archive doesn't have to match the metadata file count, ghost files etc, and the file order of the archive and the metadata do not necessarily match, the signatures are placed in an array based on their file index, and signatures for the missing items are generated from the metadata fi. The code introduces four new tags: * RPMTAG_VERITYSIGNATURELENGTH (uint32_t): The size of the fs verity signatures * RPMTAG_VERITYSIGNATURES (char *): Array of fsverity signatures * RPMTAG_VERITYSIGNATUREALGO (uint32_t): Algorithm used to generate signature * RPMTAG_VERITYSIGNATUREBLKSZ (uint32_t): Block size used to calculate the Merkle tree In addition the code provides a new plugin "fsverity" which will install the fsverity signature and enable fsverity on files as they are installed. Similar to IMA file signatures, it will skip installing signatures for config files, unless explicitly requested, and it only installs signatures for regular files as directories and symlinks are not currently supported by fsverity. To enable fsverity in the build, one must specify --with-fsverity, and have the fsverity-utils header and library installed. To generate signatures, one must specify three arguments: --fskpath= specify siging key (argument is shared with IMA file signing) --certpath= specify signing certificate --signverity add fsverity signatures to the package Jes 1: Code adding fsverity support to rpm: https://github.com/jessorensen/rpm/tree/rpm-fsverity 2: Original fsverity git repo: git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git 3: fsverity refactoring providing libfsverity: * https://www.spinics.net/lists/linux-fscrypt/msg03278.html * git://git.kernel.org/pub/scm/linux/kernel/git/jes/fsverity-utils.git/ -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/1121#issuecomment-621421288___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] scripts/pythondistdeps: New test suite and various updates and fixes (#1195)
This pull request **introduces 1 alert** when merging 90e68fa8f27a594067763476e69c723ab8beb971 into 022b48d21092f8a79103fa9318376fb26911e571 - [view on LGTM.com](https://lgtm.com/projects/g/rpm-software-management/rpm/rev/pr-6f63a05ddcb5d681a51a46456602e60a7916851b) **new alerts:** * 1 for Module is imported more than once -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1195#issuecomment-621355841___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] scripts/pythondistdeps: New test suite and various updates and fixes (#1195)
I've merged the first fixup. Leaving the second one pending depending on whether we decide to merge pythondistdeps here or split off to a new package. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1195#issuecomment-621351551___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Support ed25519 signatures (#1202)
Note that this is incomplete: there needs to be another commit to define which tag to use for ed25519 signatures. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1202#issuecomment-621251757___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] Support ed25519 signatures (#1202)
You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/1202 -- Commit Summary -- * Support the EdDSA public key algorithm * Support ed25519 signatures in digest_openssl.c * Support ed25519 signatures in digest_libgcrypt.c -- File Changes -- M rpmio/digest.h (3) M rpmio/digest_beecrypt.c (2) M rpmio/digest_libgcrypt.c (130) M rpmio/digest_nss.c (2) M rpmio/digest_openssl.c (121) M rpmio/rpmpgp.c (45) M rpmio/rpmpgp.h (27) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/1202.patch https://github.com/rpm-software-management/rpm/pull/1202.diff -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1202 ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] scripts/pythondistdeps: New test suite and various updates and fixes (#1195)
While the [discussion about possibly moving pythondistdeps to a different repo](https://github.com/rpm-software-management/rpm/issues/1199) goes on: Any technical issues or concerns with the PR? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1195#issuecomment-621108332___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Discussion: splitting language specifics out of rpm core (#1199)
> Perhaps separate git repos and a unified release are not mutually exclusive, > though. That's what I'm been mulling over here. Pulling stuff from multiple places does complicate release-cutting considerably though (which tends to be hard enough as it is), and will mean that bugs will get reported on rpm, but the code will be someplace else, which I suspect would be a frustrating situation for all involved. So I don't think that will work as such, but maybe there's something else in that direction. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/1199#issuecomment-621078194___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
