Fedora 34 Looks To Sign Individual Files Within RPMs

Written by Michael Larabel in Fedora on 6 January 2021 at 10:39 AM EST. 8 Comments
Yet another big change being eyed for Fedora 34 is to sign individual files within shipped RPM packages. The signatures will use the Linux Integrity Measurement Architecture (IMA) and in turn can be used to enforce run-time policies around only allowing the execution of trusted files.

The proposal laid out this week is to sign all files within Fedora RPMs with IMA signatures. The signatures will be made using a key held by the Fedora Infrastructure team.

By leveraging the Linux Integrity Measurement Architecture, IMA policies can be created by interested users/administrators such as only allowing "trusted" (signed) executables to be run on the system or other similar security policies.

More details on this plan for signing the contents on Fedora RPMs beginning with Fedora 34 can be found via the Fedora Project Wiki. The Fedora Engineering and Steering Committee still needs to review this proposal and as it's considered a late system-wide change does risk potentially being punted to Fedora 35 later this year, but in any case it looks like this year Fedora could be better supporting IMA for increased system security.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week