[Rpm-maint] [PATCH v8 10/11] IMA plugin labels ima xattr with file signatures

From: "f...@linux.vnet.ibm.com" This plugin extracts file signatures from rpmfiles and writes them to security.ima xattr. Only non-config file signatures are installed. Changelog: - use rpmfi instead of rpmfiles - use rpmfiFN instead of fsmFsPath --- macros.in | 1 + plugins/Makefile

[Rpm-maint] [PATCH v8 11/11] Documentation for file signing

From: "f...@linux.vnet.ibm.com" This patch adds documentation for signing files. Changelog: - Removed new file signature macro example - Mimi --- doc/rpmsign.8 | 24 ++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/doc/rpmsign.8 b/doc/rpmsign.8 index 53f2

[Rpm-maint] [PATCH v8 09/11] Add file signature support to package signing

From: "f...@linux.vnet.ibm.com" This patch modifies rpmSign to include file signatures in the header. Since the header is altered, the package digest and package+archive digest need to be recalculated and updated in the signature header. Defer resigning the header digests to replaceSignature().

[Rpm-maint] [PATCH v8 03/11] Add rpmtags for file signatures and their length

From: "f...@linux.vnet.ibm.com" This patch adds rpmtags for file signatures and their length, so they can be stored in the package header. Changelog: - update rpmtag values (rebase error) - Mimi - fix test case 0004 - Florian --- lib/rpmtag.h| 2 ++ tests/rpmgeneral.at | 2 ++ 2 files c

[Rpm-maint] [PATCH v8 04/11] Subroutine for dumping immutable region of header

From: "f...@linux.vnet.ibm.com" This patch creates a subroutine for dumping the immutable region of a header. It copies the header sections into a new header that can be altered. Changelog: - deallocate old hdrp --- sign/rpmgensig.c | 47 --- 1 file

[Rpm-maint] [PATCH v8 02/11] Export generateSignature

From: "f...@linux.vnet.ibm.com" This patch exports generateSignature under the new name rpmGenerateSignature so that includeFileSignatures can call it. --- build/pack.c| 90 ++--- lib/signature.c | 87 +++

[Rpm-maint] [PATCH v8 05/11] Add support for file signatures to rpmfi and rpmfiles

From: "f...@linux.vnet.ibm.com" This patch adds file signatures and file signature length to rpmfiles. These new members are set in rpmfilesPopulate, and they can be accessed with rpmfiFSignature. Changelog: - simplified logic in rpmfilesPopulate - removed empty line --- lib/rpmfi.c| 44 +++

[Rpm-maint] [PATCH v8 01/11] Refactor copyFile to not close files

From: "f...@linux.vnet.ibm.com" This patch refactors copyFile so that it doesn't close sfdp and tfdp, since copyFile didn't open those files. Also, the caller to copyFile closes these files. This patch also adds descriptions of copyFile parameters. Changelog: - removed call to manageFile() since

[Rpm-maint] [PATCH v8 07/11] Sign file digests and store signatures in header

From: "f...@linux.vnet.ibm.com" This patch introduces rpmSignFiles, which extracts file digests from the provided header and signs them using libimaevm and the provided key. The file signatures are stored in the header as hex strings under the tag RPM_FILESIGNATURES. Changelog: - fix signatureLe

[Rpm-maint] [PATCH v8 08/11] Add file signature support to rpmsign command

From: "f...@linux.vnet.ibm.com" This patch extends the rpmsign tool to sign package files. It defines a new rpmsign option called "signfiles". rpm --addsign [--signfiles] PACKAGE Signfiles signs all the file digests included in the package and stores the signatures in the package header. The fi

[Rpm-maint] [PATCH v8 06/11] Configure option to build with imaevm support

From: "f...@linux.vnet.ibm.com" This patch adds a config option to build with libimaevm which is needed for file signing. Changelog: - Add AM_CONDITIONAL WITH_IMAEVM --- configure.ac | 9 + 1 file changed, 9 insertions(+) diff --git a/configure.ac b/configure.ac index aa43eea..e1baeb6

[Rpm-maint] [PATCH v8 00/11] RPM: include and install file signatures

From: Fionnuala Gunter IMA-appraisal, upstreamed in linux-3.7, enforces local file integrity based on a known 'good' value stored as an extended attribute 'security.ima'. Labeling the filesystem is currently done post install using a local private key. Including file signatures in the package p

Re: [Rpm-maint] [PATCH v7 03/11] Add rpmtags for file signatures and their length

On 07/22/2015 04:30 PM, Fionnuala Gunter wrote: > Florian, > > I'm going to send an updated patch 9. Should I also include this patch > to fix test 004, when I resend the patch set? > > -Fin > > On Tue, Jul 21, 2015 at 5:53 AM Florian Festi > wrote: > > On 07/21/2

Re: [Rpm-maint] [PATCH v7 03/11] Add rpmtags for file signatures and their length

Florian, I'm going to send an updated patch 9. Should I also include this patch to fix test 004, when I resend the patch set? -Fin On Tue, Jul 21, 2015 at 5:53 AM Florian Festi wrote: > On 07/21/2015 12:11 AM, Fionnuala Gunter wrote: > > From: "f...@linux.vnet.ibm.com" > > > > This patch adds

Re: [Rpm-maint] [PATCH v7 09/11] Add file signature support to package signing

On Wed, Jul 22, 2015 at 2:33 AM Lubos Kardos wrote: > > > - Original Message - > > From: "Fionnuala Gunter" > > To: "Lubos Kardos" > > Cc: rpm-maint@lists.rpm.org, ffe...@redhat.org, "Mimi Zohar" < > zo...@linux.vnet.ibm.com>, "fin gunter" > > > > Sent: Tuesday, July 21, 2015 9:56:19 P

Re: [Rpm-maint] [PATCH v7 09/11] Add file signature support to package signing

- Original Message - > From: "Fionnuala Gunter" > To: "Lubos Kardos" > Cc: rpm-maint@lists.rpm.org, ffe...@redhat.org, "Mimi Zohar" > , "fin gunter" > > Sent: Tuesday, July 21, 2015 9:56:19 PM > Subject: Re: [PATCH v7 09/11] Add file signature support to package signing > > On Tue, J