Fedora 37 Looks To Begin Signing RPM Contents For Greater Trust

Written by Michael Larabel in Fedora on 5 April 2022 at 05:37 AM EDT. 23 Comments
FEDORA
With Fedora 36 working its way towards release later this month, more developer attention and planning is turning to Fedora 37 that will be released this autumn. One of the changes being talked about this week is for signing RPM contents for a means of trusting the files that are executed.

The Fedora 37 change proposal is for adding IMA-based signatures to the individual files that are part of shipped RPM packages. This will allow for enforcing run-time policies by system administrators to ensure the execution of only trusted files or similar policies.


Fedora 36 is shipping in a few weeks while already there is feature talk around Fedora 37 for release towards the end of the year.


Files within RPMs would be signed with IMA signatures using a key that's maintained by the Fedora infrastructure team and installed on the sign vaults. These signatures could be used with the Integrity Measurement Architecture of the Linux kernel to allow execution based on policy. This wouldn't by default prevent users from executing non-official binaries/packages or the like but all the pieces would be there for system administrators wanting to enforce such policy. In other words, no restrictions would be put in place for the "average Fedora user."

The downside of this RPM signing is a slight increase to the size of the signed RPMs (about 1% larger) while the size of the RPM database can increase by about 20% based on tests.

Those interested in Fedora's RPM signing plans for F37 can see this change proposal for all the details on this likely security feature coming to Fedora Linux in the latter half of the year.
23 Comments
Related News
Btrfs SIG Established For Advancing Btrfs Interests On Fedora
Fedora COSMIC Desktop Spin Proposed For Fedora 42
Fedora 42 Looking To Package Intel SGX Software Stack
Fedora 42 Aims To Enhance The Windows Subsystem For Linux Experience
Fedora Stakeholders Debate Concerns Over "Karma" Term For Their Updates System
Fedora KDE Desktop Spin Promoted To Same Tier As GNOME-Based Fedora Workstation
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
NTSYNC Linux Patches Revived To Help Boost Steam Play Gaming Performance
KDE Starts December By Landing A Number Of New Features
Rust-Based, Memory-Safe PNG Decoders "Vastly Outperform" C-Based PNG Libraries