On Fri, Dec 03, 2021 at 05:31:21PM -0000, Boris Burkov via devel wrote:
The top-level hash is calculated for each file, then that hash is
signed with the inputted rsa key pair and the signed hash is appended to the array of
signed hashes in the rpm metadata. I am guessing the way we worded the proposal is a
little unclear because we call it "the" signature when it's one rpm metadata
item that's an array of the signatures.
fs-verity the kernel feature operates on a per-file basis, and since the ultimate goal is
to deliver fs-verity enabled files on the installer's system, we need each file's
signature in the rpm. At install, we call the fs-verity enable ioctl for each file,
passing in its signature to make use of the kernel authentication functionality.
What exactly is appended to the rpm:
a) the merkle tree
b) the top-level hash from the merkle tree
c) the signature for b
d) some combination of a, b, c?
Above you seem to say "b+c" ("signed hash").
In the Change page:
at build time, we compute the Merkle tree for the files within a
package, then sign it and ship it as part of the rpm metadata;
…which is "a".
"c" would make sense to me.