[LU-1354] PGP Sign RPM's - Whamcloud Community JIRA

Details

Type: New Feature
Resolution: Unresolved
Priority: Minor
Fix Version/s: None
Affects Version/s: Lustre 2.7.0, Lustre 2.5.5
Labels:
- mq115

Rank (Obsolete):
10537

Description

The current RHEL RPM's as delievered by whamcould are not signed with a PKI certificate. It would be beneficial if Whamcloud could sign the RPM's with PKI to verify that Whamcloud is in fact the author of the RPM's.

Attachments

Activity

[LU-1354] PGP Sign RPM's

Aurelien Degremont (Inactive) added a comment - 01/Sep/21 8:37 AM

By latest, do you mean latest kernel for Ubuntu 20.04 LTS, or kernel on latest Ubuntu 21.04 ?

Aurelien Degremont (Inactive) added a comment - 01/Sep/21 8:37 AM By latest, do you mean latest kernel for Ubuntu 20.04 LTS, or kernel on latest Ubuntu 21.04 ?

James A Simmons added a comment - 31/Aug/21 4:50 PM

Sigh. The latest Ubuntu enforces this now

[ 4874.368433] Lockdown: insmod: unsigned module loading is restricted; see man kernel_lockdown.7

James A Simmons added a comment - 31/Aug/21 4:50 PM Sigh. The latest Ubuntu enforces this now [ 4874.368433] Lockdown: insmod: unsigned module loading is restricted; see man kernel_lockdown.7

Tomer Perry made changes - 01/Dec/20 7:00 PM

Link

New: This issue is related to EX-2205 [ EX-2205 ]

Tomer Perry made changes - 01/Dec/20 7:00 PM

Link

Original: This issue is blocked by EX-2205 [ EX-2205 ]

Tomer Perry made changes - 01/Dec/20 6:59 PM

Link

New: This issue is blocked by EX-2205 [ EX-2205 ]

Andreas Dilger made changes - 12/Nov/20 6:03 PM

Link

New: This issue is related to DDN-1648 [ DDN-1648 ]

James McKenna added a comment - 25/Nov/19 5:19 PM - edited

Bumping this topic. Any news?

James McKenna added a comment - 25/Nov/19 5:19 PM - edited Bumping this topic. Any news?

Aurelien Degremont (Inactive) added a comment - 12/Jul/19 4:10 PM

Is there any news on this topic ?

Aurelien Degremont (Inactive) added a comment - 12/Jul/19 4:10 PM Is there any news on this topic ?

Nathaniel Clark made changes - 30/Jan/19 2:03 PM

Link

New: This issue is related to DOE-20 [ DOE-20 ]

Nathaniel Clark added a comment - 30/Jan/19 1:26 PM

After further investigation. The module signing / cert management is as follows:

During the kernel build, a unique pub/priv key is generated (using info in kernelsource/x509.genkey):
```
kernelsource/signing_key.{x509,priv}
```

All certificates in kernel source dir (files with the .x509 extension) are signed with the per-kernel key and included in the default trust chain.
All kernel modules are signed with the signing_key and thus any module signed with those would also be acceptable.

NOTE:
CentOS does not sign any of the provided kmod-* packaged modules.

Nathaniel Clark added a comment - 30/Jan/19 1:26 PM After further investigation. The module signing / cert management is as follows: During the kernel build, a unique pub/priv key is generated (using info in kernelsource/x509.genkey ): kernelsource/signing_key.{x509,priv} All certificates in kernel source dir (files with the .x509 extension) are signed with the per-kernel key and included in the default trust chain. All kernel modules are signed with the signing_key and thus any module signed with those would also be acceptable. NOTE: CentOS does not sign any of the provided kmod-* packaged modules.

People

Assignee:: Oleg Drokin

Reporter:: Michael Di Domenico

Votes:: 1 Vote for this issue

Watchers:: 17 Start watching this issue

Dates

Created:: 30/Apr/12 12:52 PM

Updated:: 01/Sep/21 8:37 AM