Hi, We're looking to include file signatures in the different package formats (eg.rpm, deb) and install them as 'security.ima' extended attributes(xattrs). These signatures could then be used to enforce local file integrity and included in the IMA measurement list to provide file provenance.
This patch set adds debhelper support for dpkg for adding file signatures to .deb packages and for installing those signatures as IMA xattrs at package install time. The existing md5sums file contains the file hash and name for each file included in the package. This makes it the most logical place for storing the file signatures, other than the hash being md5. For now, this patch set assumes the existence of an equivalent sha256sums file. (For convenience, I've duplicated the dh_md5sums helper naming it dh_sha256sums.) Depending on the relationship of the build and signing server, the signatures could either be appended during the package build process or post build. Included in this patch set is a sample script that opens the package, extracts the sha256sums file, appends the signatures, and inserts the new sha256sums file with the appended signatures in the deb package. To install the file signatures, this patch set defines the debhelper dh_installfile-sigs and the postinst-file-sigs autoscript. Although the sha256sums file should contain signatures for all files, the autoscript currently only installs the signatures for ELF files and scripts, making them "immutable". Mimi Zohar (3): Define a new debhelper dh_installfile-sigs and postinst autoscript Temporarily define a deb helper dh_sha256sums Include sample script named ima-signhashes.sh autoscripts/postinst-file-sigs | 17 +++++++ dh | 2 + dh_installfile-sigs | 46 +++++++++++++++++++ dh_sha256sums | 101 +++++++++++++++++++++++++++++++++++++++++ examples/ima-signhashes.sh | 79 ++++++++++++++++++++++++++++++++ 5 files changed, 245 insertions(+) create mode 100644 autoscripts/postinst-file-sigs create mode 100755 dh_installfile-sigs create mode 100755 dh_sha256sums create mode 100755 examples/ima-signhashes.sh -- 1.8.1.4 -- To UNSUBSCRIBE, email to debian-dpkg-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1407517061-22451-1-git-send-email-zo...@linux.vnet.ibm.com
