On Thu, Jan 6, 2022 at 5:17 AM Patrick マルタインアンドレアス Uiterwijk
<puiterwijk(a)redhat.com> wrote:
> - How do I generate my own new keypair so I can IMA-sign an
RPM?
You can generate the key with the standard OpenSSL commands.
For example, an RSA key can be generated like:
openssl genrsa | openssl pkcs8 -topk8 -nocrypt -outform DER -out privatekey.der
(do note that the key will need to be in DER format).
Thanks for these tips.
rpm-sign complains when I use a DER-formatted key. I switched to a
regular PEM-formatted key file, and that works. Looking at libimaevm's
read_priv_pkey(), it checks for a "pkcs11:" URI, and if it doesn't
find that string prefix, it just calls fopen and PEM_read_PrivateKey.
Reading rpm_head_signing/verify_rpm.py it looks like you're sending a
DER-formatted file to "evmctl ima_verify". I guess that's where the
DER format comes in?
Something else I'm wondering: rpmsign writes those four-byte "keyid"
values to my FILESIGNATURE entries even if I don't have a public cert
at all. How does it do that? I see verify_rpm.py checks the RPM's
keyid values against the final four bytes of a sha1 of a public
certificate, but what if I haven't generated that yet?
Also, on Rawhide, rpmsign fails with an error in EVP_PKEY_sign.
Example with a random SRPM:
rpmsign --addsign --define "_gpg_name security(a)example.com"
--signfiles --fskpath privatekey.pem bash-5.1.8-3.fc36.src.rpm
bash-5.1.8-3.fc36.src.rpm:
hash(sha1): 9958fb4ee30415c75bd992982ac1463c6ff6ce739e00aaf7d7ad992feb0b40f1
sign_hash_v2: signing failed: (invalid digest length) in EVP_PKEY_sign
openssl: error:1C8000A6:Provider routines::invalid digest length
error: sign_hash failed
error: signFile failed
Since this works on CentOS Stream 9, I updated my Rawhide test
environment from ima-evm-utils-1.3.2-4.fc36 to the version in CentOS 9
Stream (ima-evm-utils-1.4-4), then rebuilt rpm-4.17.0-4.fc36 against
the newer libimaevm.so.3.0.0, and then I could use --signfiles in
Rawhide. My builds are at
https://fedorapeople.org/~ktdreyer/ima/ .
I think the next step is to get ima-evm-utils 1.4 into Fedora.
- Ken