https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 https://jira.whamcloud.com/browse/LU-1354 Lustre <p>The current RHEL RPM's as delievered by whamcould are not signed with a PKI certificate. It would be beneficial if Whamcloud could sign the RPM's with PKI to verify that Whamcloud is in fact the author of the RPM's.</p> LU-1354

PGP Sign RPM's

New Feature Minor Open Unresolved Oleg Drokin Michael Di Domenico mq115 Mon, 30 Apr 2012 12:52:48 +0000 Wed, 1 Sep 2021 08:37:05 +0000 Lustre 2.7.0 Lustre 2.5.5 1 17 <p>We certainly could create a GPG key and sign our RPMs with it. It would be a key with likely no web of trust to it from you though so how much would you really trust it?</p> <p>Well some trust is better then no trust, eh? But it does provide someone an ability to verify that the packages were created by a specific person and that the packages have not been altered down the chain.</p> <p><a href="http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/5.3/html/Deployment_Guide/satops-rpm-building.html" class="external-link" target="_blank" rel="nofollow noopener">http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/5.3/html/Deployment_Guide/satops-rpm-building.html</a></p> <p>as long as the passphrase is safe and the whamcloud servers remain protected, I should be able to sign-off to an auditor that the software I downloaded did in fact come from and was produced by Whamcloud. The only other way I can make that claim with any real distinction would be to have a (silver, non-r/w) CD mailed from whamcloud to me.</p> <p>There are several people (myself, Brian Murrell, maybe Oleg) on the HPDD team that have well-known keys that could sign an RPM-signing key.</p> <p>It would be valuable to have the RPMS finally signed - also in order to use them properly with configuration management tools like Puppet, etc.</p> <p>If we're going to sign rpms, we should also consider signing the modules so they will work in a FIPS enabled kernel.</p> <p><a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations" class="external-link" target="_blank" rel="nofollow noopener">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations</a></p> <p><a href="https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html" class="external-link" target="_blank" rel="nofollow noopener">https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html</a></p> <p> </p> <p>Nathaniel Clark (nclark@whamcloud.com) uploaded a new patch: <a href="https://review.whamcloud.com/34132" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/34132</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-1354" title="PGP Sign RPM&#39;s" class="issue-link" data-issue-key="LU-1354">LU-1354</a> build: Sign kernel modules during build<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: a51e35b679049fbe1e358dd98b3158df0f5abd25</p> <p>After further investigation. The module signing / cert management is as follows:</p> <ol> <li>During the kernel build, a unique pub/priv key is generated (using info in <tt>kernelsource/x509.genkey</tt>): <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>kernelsource/signing_key.{x509,priv} </pre> </div></div></li> </ol> <ol> <li>All certificates in kernel source dir (files with the .x509 extension) are signed with the per-kernel key and included in the default trust chain.</li> <li>All kernel modules are signed with the <tt>signing_key</tt> and thus any module signed with those would also be acceptable.</li> </ol> <p>NOTE:<br/> CentOS does not sign any of the provided kmod-* packaged modules.</p> <p>Is there any news on this topic ?</p> <p>Bumping this topic. Any news?</p> <p>Sigh. The latest Ubuntu enforces this now <img class="emoticon" src="https://jira.whamcloud.com/images/icons/emoticons/sad.png" height="16" width="16" align="absmiddle" alt="" border="0"/></p> <p>[ 4874.368433] Lockdown: insmod: unsigned module loading is restricted; see man kernel_lockdown.7</p> <p>By latest, do you mean latest kernel for Ubuntu 20.04 LTS, or kernel on latest Ubuntu 21.04 ?</p> Related Development Rank 1|hzw2t3: Rank (Obsolete) 10537