I've tried actually verifying an IMA signature made with rpm built from this
branch, using the following steps:
```bash
$ cat x509_evm.genkey
# Begining of the file
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
O = Magrathea
CN = Glacier signing key
emailAddress =
[slartibartfast@magrathea.h2g2](mailto:slartibartfast@magrathea.h2g2)
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
# EOF
$ openssl req -new -nodes -utf8 -sha256 -days 36500 -batch \
-x509 -config x509_evm.genkey \
-outform DER -out x509_evm.der -keyout privkey_evm.pem
$ rpmsign --addsign --signfiles --fskpath=./privkey_evm.pem foo.rpm
$ sudo rpm -Uhv ./foo.rpm
$ getfattr -m security.ima -d /path/to/file/from/foo.rpm
[...]
security.ima=<signature>
$ evmctl ima_verify --key x509_evm.der -v /path/to/file/from/foo.rpm
[...]
/path/to/file/from/foo.rpm: verification is OK
```
The `<signature>` that `getfattr` reports is the same whether the package is
signed with rpm from master or from this branch, plus `evmctl` verifies it
successfully.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2491647834
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/3458/c2491647...@github.com>_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
https://lists.rpm.org/mailman/listinfo/rpm-maint
