Hi Ken, > > I want to add "intro to IMA signing" instructions to > https://docs.pagure.org/koji/signing/ . I wrote a basic PR at > https://pagure.io/koji/pull-request/3206 but it lacks technical > details.
That'd be cool! > > - How do I generate my own new keypair so I can IMA-sign an RPM? You can generate the key with the standard OpenSSL commands. For example, an RSA key can be generated like: openssl genrsa | openssl pkcs8 -topk8 -nocrypt -outform DER -out privatekey.der (do note that the key will need to be in DER format). You can then generate a corresponding (self-signed) certificate for validation with: openssl req -x509 -key privatekey.der -out certificate.pem -days 365 -keyform DER > > - Can I use my existing GPG keypair? Mathematically, yes. Practically, no. The key format RPM (libimaevm) reads for signing is DER, so you'd have to convert the actual key bits from the GPG format to DER. > > - How do I IMA-sign files in an RPM locally (apart from Koji)? (Is it > the --signfiles option from rpmsign(8)?) Yes, it's the --signfiles option. > > - How do I inspect the IMA signatures on an existing RPM? The signatures are stored in the FILESIGNATURES rpm sighdr (with tag RPMTAG_SIG_BASE + 18, so 274), as a hex-encoded string array. I have some code for reading and parsing the signatures at https://github.com/fedora-iot/rpm-head-signing/blob/main/rpm_head_signing/extract_rpm_with_filesigs.py . > > - When I gpg-sign an RPM with "Key A" and IMA-sign an RPM with "Key > B", does Koji "know" about Key B at all? Koji at this moment does not look at or touch the FILESIGNATURES header. It copies it into its signature store (because the tag is in the sighdr), and will re-insert it into the resulting RPM, but it has no clue it's even there. This also means that the RPMs that are signed with {rpm_key=keyA, ima_key=keyB} and {rpm_key=keyA, ima_key=keyC} are seen as having the same signature, and thus would result in the hub rejecting the new signature until the old one gets removed. It would absolutely be useful to have this information also stored in koji and a part of the index for the signatures, but that hasn't been done yet. Patrick _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
