Show Your Support: This site is primarily supported by advertisements. Ads are what have allowed this site to be maintained on a daily basis for the past 18+ years. We do our best to ensure only clean, relevant ads are shown, when any nasty ads are detected, we work to remove them ASAP. If you would like to view the site without ads while still supporting our work, please consider our ad-free Phoronix Premium.
Fedora 37 Looks To Begin Signing RPM Contents For Greater Trust
The Fedora 37 change proposal is for adding IMA-based signatures to the individual files that are part of shipped RPM packages. This will allow for enforcing run-time policies by system administrators to ensure the execution of only trusted files or similar policies.
Fedora 36 is shipping in a few weeks while already there is feature talk around Fedora 37 for release towards the end of the year.
Files within RPMs would be signed with IMA signatures using a key that's maintained by the Fedora infrastructure team and installed on the sign vaults. These signatures could be used with the Integrity Measurement Architecture of the Linux kernel to allow execution based on policy. This wouldn't by default prevent users from executing non-official binaries/packages or the like but all the pieces would be there for system administrators wanting to enforce such policy. In other words, no restrictions would be put in place for the "average Fedora user."
The downside of this RPM signing is a slight increase to the size of the signed RPMs (about 1% larger) while the size of the RPM database can increase by about 20% based on tests.
Those interested in Fedora's RPM signing plans for F37 can see this change proposal for all the details on this likely security feature coming to Fedora Linux in the latter half of the year.