Show Your Support: Did you know that you can get Phoronix Premium for under $4 per month? Try it today to view our site ad-free, multi-page articles on a single page, and more while the proceeds allow us to write more Linux hardware reviews. At the very least, please disable your ad-blocker.
Fedora 37 Looks To Begin Signing RPM Contents For Greater Trust
The Fedora 37 change proposal is for adding IMA-based signatures to the individual files that are part of shipped RPM packages. This will allow for enforcing run-time policies by system administrators to ensure the execution of only trusted files or similar policies.
Fedora 36 is shipping in a few weeks while already there is feature talk around Fedora 37 for release towards the end of the year.
Files within RPMs would be signed with IMA signatures using a key that's maintained by the Fedora infrastructure team and installed on the sign vaults. These signatures could be used with the Integrity Measurement Architecture of the Linux kernel to allow execution based on policy. This wouldn't by default prevent users from executing non-official binaries/packages or the like but all the pieces would be there for system administrators wanting to enforce such policy. In other words, no restrictions would be put in place for the "average Fedora user."
The downside of this RPM signing is a slight increase to the size of the signed RPMs (about 1% larger) while the size of the RPM database can increase by about 20% based on tests.
Those interested in Fedora's RPM signing plans for F37 can see this change proposal for all the details on this likely security feature coming to Fedora Linux in the latter half of the year.