[LU-1354] PGP Sign RPM's Created: 30/Apr/12  Updated: 01/Sep/21

Status: Open
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.7.0, Lustre 2.5.5
Fix Version/s: None

Type: New Feature Priority: Minor
Reporter: Michael Di Domenico Assignee: Oleg Drokin
Resolution: Unresolved Votes: 1
Labels: mq115

Issue Links:
Related
Rank (Obsolete): 10537

 Description   

The current RHEL RPM's as delievered by whamcould are not signed with a PKI certificate. It would be beneficial if Whamcloud could sign the RPM's with PKI to verify that Whamcloud is in fact the author of the RPM's.

 Comments   
Comment by Brian Murrell (Inactive) [ 30/Apr/12 ]

We certainly could create a GPG key and sign our RPMs with it. It would be a key with likely no web of trust to it from you though so how much would you really trust it?

Comment by Michael Di Domenico [ 01/May/12 ]

Well some trust is better then no trust, eh? But it does provide someone an ability to verify that the packages were created by a specific person and that the packages have not been altered down the chain.

http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/5.3/html/Deployment_Guide/satops-rpm-building.html

as long as the passphrase is safe and the whamcloud servers remain protected, I should be able to sign-off to an auditor that the software I downloaded did in fact come from and was produced by Whamcloud. The only other way I can make that claim with any real distinction would be to have a (silver, non-r/w) CD mailed from whamcloud to me.

Comment by Andreas Dilger [ 06/Nov/13 ]

There are several people (myself, Brian Murrell, maybe Oleg) on the HPDD team that have well-known keys that could sign an RPM-signing key.

Comment by Marcin Dulak [ 05/Mar/15 ]

It would be valuable to have the RPMS finally signed - also in order to use them properly with configuration management tools like Puppet, etc.

Comment by Nathaniel Clark [ 29/Jan/19 ]

If we're going to sign rpms, we should also consider signing the modules so they will work in a FIPS enabled kernel.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations

https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html

 

Comment by Gerrit Updater [ 29/Jan/19 ]

Nathaniel Clark (nclark@whamcloud.com) uploaded a new patch: https://review.whamcloud.com/34132
Subject: LU-1354 build: Sign kernel modules during build
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: a51e35b679049fbe1e358dd98b3158df0f5abd25

Comment by Nathaniel Clark [ 30/Jan/19 ]

After further investigation. The module signing / cert management is as follows:

  1. During the kernel build, a unique pub/priv key is generated (using info in kernelsource/x509.genkey): 
    kernelsource/signing_key.{x509,priv}
  1. All certificates in kernel source dir (files with the .x509 extension) are signed with the per-kernel key and included in the default trust chain.
  2. All kernel modules are signed with the signing_key and thus any module signed with those would also be acceptable.

NOTE:
CentOS does not sign any of the provided kmod-* packaged modules.

Comment by Aurelien Degremont (Inactive) [ 12/Jul/19 ]

Is there any news on this topic ?

Comment by James McKenna [ 25/Nov/19 ]

Bumping this topic. Any news?

Comment by James A Simmons [ 31/Aug/21 ]

Sigh. The latest Ubuntu enforces this now

[ 4874.368433] Lockdown: insmod: unsigned module loading is restricted; see man kernel_lockdown.7

Comment by Aurelien Degremont (Inactive) [ 01/Sep/21 ]

By latest, do you mean latest kernel for Ubuntu 20.04 LTS, or kernel on latest Ubuntu 21.04 ?

Generated at Sat Feb 10 01:15:54 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.