Hi - Open for your experimentation needs, on a recent fedora client and a fresh build of elfutils,
env DEBUGINFOD_URLS='ima:enforcing https://debuginfod.stg.fedoraproject.org' \ DEBUGINFOD_IMA_CERT_PATH=/etc/keys/ima \ DEBUGINFOD_VERBOSE=1 \ debuginfod-find debuginfo /bin/ls should result in content similar to: Loaded pem pubkey /etc/keys/ima/fedora-39-ima.pem, keyid 388b603e Loaded der certificate /etc/keys/ima/fedora-39-ima.der, keyid = 388b603e Loaded pem certificate /etc/keys/ima/fedora-39-ima.cert, keyid = 388b603e Loaded der certificate /etc/keys/ima/fedora-38-ima.der, keyid = e7b0c859 Loaded pem certificate /etc/keys/ima/fedora-38-ima.cert, keyid = e7b0c859 Loaded pem pubkey /etc/keys/ima/fedora-38-ima.pem, keyid e7b0c859 debuginfod_find_debuginfo e79defd2793644d11e45a043e6c1e6559e7c149f server urls "ima:enforcing https://debuginfod.stg.fedoraproject.org/"; [...] init server 0 https://debuginfod.stg.fedoraproject.org/buildid [IMA verification policy: enforcing] url 0 https://debuginfod.stg.fedoraproject.org/buildid/e79defd2793644d11e45a043e6c1e6559e7c149f/debuginfo query 1 urls in parallel header HTTP/2 200 [...] header x-debuginfod-size: 453232 header x-debuginfod-archive: /mnt/fedora_koji_prod/koji/packages/coreutils/9.3/5.fc39/x86_64/coreutils-debuginfo-9.3-5.fc39.x86_64.rpm header x-debuginfod-file: /usr/lib/debug/usr/bin/ls-9.3-5.fc39.x86_64.debug header x-debuginfod-imasignature: 030204388b603e00483046022100dd67332b59c2f9431958d0cc80ed332955c89f765dbf8aeeb4262159e457511d022100a2513d0807be86be7bda1802fe6f22b04e9e753891f106120498ca16fa28a20a header last-modified: Thu, 18 Jan 2024 00:00:00 GMT [...] got file from server Searching for ima keyid 388b603e Computed ima signature verification res=0 valid signature Metadata searches should start working a little bit later on: https://pagure.io/fedora-infra/ansible/pull-request/2057 - FChE
