Another extra question, trying a extension that is signed, if I dont provide the signature in the verity.d dir, the service hangs because its asking for a password. Is it possible to skip that somehow? I dont want it to ask for a password, if there is not a key, just fial to load it.
Thanks! On Wed, Jun 5, 2024 at 6:28 PM Itxaka Serrano Garcia < itxaka.gar...@spectrocloud.com> wrote: > Hello again! > > A few sysext questions that have arisen from our testing > > - image policy is configurable but it's there a single config file where > we can put that so it's used system wide? For example to only allow > verity+signed? Service override? > - I can't see anything preventing a manual call to sysext refresh from > overriding the default policy, i.e if we set it at the service level in an > immutable system, nothing prevents someone from calling the sysext command > manually and override the image policy no? > - I also don't see anything that can run against a single sysext and > return a validity check, to check individual files conform to a given > policy for example? Any idea if there is something like that? Sysext verify > SYSEXT_FILE --image-policy=whatever > - I have also seen that having several extensions verity+signed, if there > is just one that it's not either verity or signed, the whole merge stops? > Is there any reasoning for that? Is that a bug? Should I open a bug for > this? IMHO it makes no sense as they are individual files so if something > does not match the policy it should just be skipped and the rest of the > extensions loaded anyway. But of course I have low visibility onto this, so > there may be good reasons for it. > > > > > I think thats all, thanks for reading! > Itxaka > > >
