If I enable FS-verity and later find that I need to patch a file to
fix
some problem, how do I as the sysadmin tell Linux that this change is
authorized? Do I disable FS-verity for that specific file? Disable
FS-verity globally? Add my own key to the kernel's keyring? Build and
sign my own RPM package?
What prevents an attacker from doing the same?
I think this is a good, fair point and is a serious tradeoff in authenticating distributed
files. However, I believe it should be possible for the user to securely configure a
keypair and load the certificate in the fs-verity keyring s.t. they can sign the files
they craft themselves, without allowing an attacker to, just like they would to normally
sign things. So you could copy the file, modify it to your liking, (or just rebuild the
rpm locally) then enable verity with your own signature.