Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
I wonder if we shouldn't just reuse the [compatibility wrapper](https://github.com/linux-integrity/ima-evm-utils/blob/dc5969360a0439d225a0df386aeb2f4ab9f0661a/src/libimaevm.c#L1443) `sign_hash()` in libimaevm.c. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2491018302 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] Consolidate rpm format detection and terminology (PR #3461)
You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/3461 -- Commit Summary -- * Rename the rpm format selection macro to %_rpmformat * Add missing documentation for RPMTAG_RPMFORMAT tag * Add tag extension for rpm format version detection * Use RPMTAG_RPMFORMAT for rpm format detection in the signing code -- File Changes -- M build/files.cc (4) M build/pack.cc (16) M build/rpmbuild_internal.hh (2) M build/rpmfc.cc (2) M build/spec.cc (2) M docs/manual/tags.md (2) M lib/tagexts.cc (17) M macros.in (2) M sign/rpmgensig.cc (11) M tests/pinned/common/buildrepr.sh (2) M tests/rpmquery.at (4) M tests/rpmsigdig.at (2) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/3461.patch https://github.com/rpm-software-management/rpm/pull/3461.diff -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3461 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a test(s) for IMA signing (Issue #3237)
Closed #3237 as completed via 4806340cb8fcf80de6909dfa9697ed3c454d3e03. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3237#event-15384706858 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Deprecated libimaevm symbol (Issue #3419)
Closed #3419 as completed via 93f2d30001f16212d33b1c7344318798a785305e. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3419#event-15384706972 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
Merged #3458 into master. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#event-15384706413 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
Given the above, as well as Stefan's thumbs up, LGTM now, let's merge. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2491661316 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] Fix regression on build-id generation from compressed ELF files (PR #3463)
Another cmake fallout - we even have the define in config.h.in but the actual test was missing, causing us to never use the compression aware dwelf_elf_begin() version. The only reproducer I'm aware of is a kernel module, and we don't want to pull in the huge kernel-devel to the test CI for this. Manually verified that cmake looks for and finds it: -- Looking for dwelf_elf_begin in dw -- Looking for dwelf_elf_begin in dw - found And building kernel module, before: $ rpm -qpl /home/pmatilai/rpmbuild/RPMS/x86_64/kmod-lkm_example-1.0-1.x86_64.rpm /lib/modules/6.11.8-300.fc41.x86_64/lkm_example/lkm_example.ko.xz After: $ rpm -qpl /home/pmatilai/rpmbuild/RPMS/x86_64/kmod-lkm_example-1.0-1.x86_64.rpm /lib/modules/6.11.8-300.fc41.x86_64/lkm_example/lkm_example.ko.xz /usr/lib/.build-id /usr/lib/.build-id/db /usr/lib/.build-id/db/f83477ef46b0e51abd5cc1b9382be1330083c4 Fixes: RHEL-54000 You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/3463 -- Commit Summary -- * Fix regression on build-id generation from compressed ELF files -- File Changes -- M CMakeLists.txt (1) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/3463.patch https://github.com/rpm-software-management/rpm/pull/3463.diff -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3463 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] centos7.9 upgrade 4.11 to 4.14.1 (Discussion #3459)
My all operation is in the container
os:CentOS Linux release 7.9.2009 (Core)
rpm version: RPM version 4.11.3
```bash
yum -y install centos-release nss-devel nspr-devel file-devel popt-devel
libarchive-devel lua-devel autoconf automake libtool zstd
wget http://ftp.rpm.org/releases/rpm-4.14.x/rpm-4.14.3.tar.bz2 && tar -xvjf
rpm-4.14.3.tar.bz2
cd rpm-4.14.3
./configure --prefix=/usr && make && make install
ldconfig
```
When I finished the upgrade, I could see the rpm version changed to 4.14.3
## before upgrade
```
# rpm --showrc | wc -l
1052
# rpm --eval "%{dist}"
.el7
```
## after upgrade
```
# rpm --showrc | wc -l
556
# rpm --eval "%{dist}"
%{dist}
```
and I found that the Macro path was different.
## before upgrade
```
Macro path:
/usr/lib/rpm/macros:/usr/lib/rpm/macros.d/macros.*:/usr/lib/rpm/platform/%{_target}/macros:/usr/lib/rpm/fileattrs/*.attr:/usr/lib/rpm/redhat/macros:/etc/rpm/macros.*:/etc/rpm/macros:/etc/rpm/%{_target}/macros:~/.rpmmacros
```
## after upgrade
```
Macro path:
/usr/lib/rpm/macros:/usr/lib/rpm/macros.d/macros.*:/usr/lib/rpm/platform/%{_target}/macros:/usr/lib/rpm/fileattrs/*.attr:/usr/lib/rpm/unknown/macros:/usr/etc/rpm/macros.*:/usr/etc/rpm/macros:/usr/etc/rpm/%{_target}/macros:~/.rpmmacros
```
I exec the following action
```
# ls /usr/etc/rpm
ls: cannot access /usr/etc/rpm: No such file or director
# cp -r /etc/rpm /usr/etc
```
I still fail when I execute some rpmbuild
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/discussions/3459
You are receiving this because you are subscribed to this thread.
Message ID: ___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
https://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] Update GPL and LGPL in COPYING (PR #3460)
The postal address of the FSF in there is no longer valid. Use license files currently available at https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt https://www.gnu.org/licenses/old-licenses/lgpl-2.0.txt There are minor formatting changes. The license the code is under is not changed. Resolves: #3456 You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/3460 -- Commit Summary -- * Update GPL and LGPL in COPYING -- File Changes -- M COPYING (70) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/3460.patch https://github.com/rpm-software-management/rpm/pull/3460.diff -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3460 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
The test needs a bit more tweaking, I'll push a fixup commit in a moment. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2490619770 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] centos7.9 upgrade 4.11 to 4.14.1 (Discussion #3459)
> ./configure --prefix=/usr This isn't how rpm on Centos is configured, so it's no wonder it doesn't work. Updating the system rpm beyond what the distro offers, you really need to know what you're doing. And updating beyond the original major.minor branch is not recommended even then. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/3459#discussioncomment-1114 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
Hi @stefanberger, could you please have a look at our usage of `imaevm_signhash()` here? We're not sure if we're using it right since there's no documentation available. Thanks! -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2491005521 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Consolidate rpm format detection and terminology (PR #3461)
Meh, forgot tests... I really am not awake today -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3461#issuecomment-2491085892 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Update GPL and LGPL in COPYING (PR #3460)
Merged #3460 into master. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3460#event-15379643222 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
@dmnks pushed 2 commits. 776ad98616a67ea05667e87f97eb9f357d1de47a fixup! Add test case for ima file signatures f86ae36dd8de4c3df97f2e45dcbfaf3e5bca3f92 fixup! Add test case for ima file signatures -- View it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458/files/c2273603a53753ecf81bf9ec6bceea0dbe2d18b6..f86ae36dd8de4c3df97f2e45dcbfaf3e5bca3f92 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Incorrect FSF address in COPYING license file (Issue #3456)
Closed #3456 as completed via #3460. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3456#event-15379643483 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
@pmatilai commented on this pull request. > @@ -0,0 +1,5 @@ +-BEGIN EC PRIVATE KEY- +MHQCAQEEIAqhMWlmwcHwa2pXlyxUfPUvKMdrHHxGAkKz0EfHrlZpoAcGBSuBBAAK +oUQDQgAEhJIpSysqJlsr0+nAwQDYaqk4hkLmU+2Pje5jCpI6QfakJD+bVrXqF+5Z +xbwEh+e+lrhDLfj9+jJTOda4WD83Ng== +-END EC PRIVATE KEY- Please document the command(s) to create the key in case somebody somewhen needs to update it for one reason or another. The commit message is fine for that. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#pullrequestreview-2451255439 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
Oh, we're running on F40 in the CI, right. That's why, it's not deprecated there yet. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2491363527 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
@dmnks pushed 1 commit. 9790ec793ebcf5f2cf7ed66681374a2b9917d774 fixup! Use imaevm_signhash if available -- View it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458/files/375a17a1866b4d7c5766af8c44fe1f4d60bef948..9790ec793ebcf5f2cf7ed66681374a2b9917d774 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
Hmm, that's strange, one would expect the build to blow up then... -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2491354980 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
Pushed a fixup for the symbol detection issue, now it's working fine. The solution was to use `check_library_exists()` instead of `check_function_exists()`, with the former being generally [recommended](https://cmake.org/cmake/help/latest/module/CheckFunctionExists.html) over the latter. Note that the build still reports the function as "not found" in the CI (Fedora 40), this is because the new replacement function is only available in `/usr/lib64/libimaevm.so.5.0.0` and Fedora 40 ships with version 4. It's only *deprecated* (not obsoleted) in version 5. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2491522112 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
@ffesti, if you're ok with the test fixups, please squash them. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2491092181 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
Yep, noticed, thanks! I'm still getting the deprecation warning on cmake configuration, though. I guess the `HAVE_IMAEVM_SIGNHASH` macro isn't true for some reason (in my setup). -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2491331523 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
Yeah the same goes for CI, the log says: > #19 4.038 -- Looking for imaevm_signhash > #19 4.131 -- Looking for imaevm_signhash - not found -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2491349389 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
...and on my F41 locally (so ima-evm-utils-1.6.2-2.fc41.x86_64). So this new version isn't being used now. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2491363565 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
I've tried actually verifying an IMA signature made with rpm built from this branch, using the following steps: ```bash $ cat x509_evm.genkey # Begining of the file [ req ] default_bits = 1024 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = myexts [ req_distinguished_name ] O = Magrathea CN = Glacier signing key emailAddress = [slartibartfast@magrathea.h2g2](mailto:slartibartfast@magrathea.h2g2) [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid # EOF $ openssl req -new -nodes -utf8 -sha256 -days 36500 -batch \ -x509 -config x509_evm.genkey \ -outform DER -out x509_evm.der -keyout privkey_evm.pem $ rpmsign --addsign --signfiles --fskpath=./privkey_evm.pem foo.rpm $ sudo rpm -Uhv ./foo.rpm $ getfattr -m security.ima -d /path/to/file/from/foo.rpm [...] security.ima= $ evmctl ima_verify --key x509_evm.der -v /path/to/file/from/foo.rpm [...] /path/to/file/from/foo.rpm: verification is OK ``` The `` that `getfattr` reports is the same whether the package is signed with rpm from master or from this branch, plus `evmctl` verifies it successfully. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2491647834 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
> Hi @stefanberger, could you please have a look at our usage of > `imaevm_signhash()` here? We're not sure if we're using it right since > there's no documentation available. Thanks! Looks good to me. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2491070851 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
Squashed and command to create key added in commit message. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2491321829 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Use imaevm_signhash if available (PR #3458)
Squashed again -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3458#issuecomment-2491545647 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] Additional IMA test fixups (PR #3462)
Minor issues I've noticed while working on a different IMA-related fix :smile: You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/3462 -- Commit Summary -- * Detect missing file signatures in IMA test * Skip IMA test when built without IMA support -- File Changes -- M tests/atlocal.in (5) M tests/rpmsigdig.at (3) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/3462.patch https://github.com/rpm-software-management/rpm/pull/3462.diff -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3462 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint
