The “rpm signature of each individual file in an rpm” work seems to never have made it.
1 Like
Would that be Changes/FsVerityRPM - Fedora Project Wiki?
What would most Fedora users use this for or benefit from it?
Broadly speaking, fs-verity makes it possible to ensure that files that were installed via an RPM have not been modified. It is useful in environments where an attacker might be able to modify system files (say, replace /bin/ls with a compromised version) and you want to protect against that. For example, consider an appliance-like system placed in an untrusted location where you may not be able to control who has physical access (this could be a server, but it could also be a kiosk in an internet point or a school). In this scenario, fs-verity can be one of the building blocks to ensure and maintain system trust.
This Change is mostly about putting in place the necessary plumbing for this to be at all possible.
1 Like
As for the original RPM signature, it looks like there might be complications between that and the RPM CoW code that is being worked on:
As mentioned previously, the final RPM which is on-disk after having being transcoded by rpm2extents is not a bitwise copy of the original RPM, as such signature/digest verifications on anything that includes the payload will not work.
The current approach is that rpm2extents performs the signature validation while streaming the original RPM. The result of this verification (return code + text output) is written into the transcoded RPM trailing metadata so it can be re-used later by rpmkeys, or anything that needs to validate the package like rpm -i.
You can check the following:
- The imported keys against the ones from official sites.
- The signatures of all installed packages against the imported keys.
# List imported keys
rpmkeys --list
# List packages with problematic signatures
rpmsig_verify() {
local SYSTEM_ROOT="${1:-/}"
grep -v -i -f \
<(rpm --root="${SYSTEM_ROOT}" -q --qf="%{DESCRIPTION}" gpg-pubkey \
| gpg --with-colons --show-keys | awk -F ':' -e '$5{print " "$5"$"}') \
<(rpm --root="${SYSTEM_ROOT}" -q -a --qf="%{NAME}-%{VERSION}-\
%{RELEASE}%|ARCH?{.%{ARCH}}|\t%{RSAHEADER:pgpsig}\n")
}
rpmsig_verify
This should list only packages with missing or broken signatures if any.
Ideally, you should check this from a live session to avoid possible rootkits.