Bugzilla – Bug 1187814
IMA/EVM is not enabled in the RPM package
Last modified: 2021-08-13 11:09:04 UTC
Seems that IMA/EVM is not enabled in the openSUSE RPM package, and this makes some options in rpmsign (like --signfiles) not available by default
sr#903002 should do
Why would you want to enable it? The build service cannot create such signatures. We can't really use it for SLE. I don't see how it is relevant for openSUSE.
(In reply to Michael Schröder from comment #2) > Why would you want to enable it? The build service cannot create such > signatures. We can't really use it for SLE. I don't see how it is relevant > for openSUSE. That is correct. But I want to integrate IMA in openSUSE TW / MicroOS somehow, and later in SLE Micro. For obs-sign I created this issue: https://github.com/openSUSE/obs-sign/issues/29 Maybe I can duplicate it here in bsc/boo. Can be that if obs-sign gains the feature for signing files, we can drop this one but I did not test the rpm ima plugin yet (even tho we distribute it)
Well, we can't do this easily. Signing each file individually would absolutely kill the signer. It's currently bad enough with the kernel modules. I'm not saying that this can't be done, but the current way we create signatures is simply too slow. So there's a major effort needed to change the way the signer works. (e.g. by no longer calling gpg for each signature but use libgcrypt directly.)
Hi Lubos, would you please take a look at this issue? Maybe it can be closed as FEATURE?