[RFC PATCH 0/3] Including file signatures in .deb packages]
We're looking to include file signatures in the different package
formats (eg.rpm, deb) and install them as 'security.ima' extended
attributes(xattrs). These signatures could then be used to enforce
local file integrity and included in the IMA measurement list to
provide file provenance.
This patch set adds debhelper support for dpkg for adding file
signatures to .deb packages and for installing those signatures as
IMA xattrs at package install time.
The existing md5sums file contains the file hash and name for each file
included in the package. This makes it the most logical place for
storing the file signatures, other than the hash being md5. For now,
this patch set assumes the existence of an equivalent sha256sums file.
(For convenience, I've duplicated the dh_md5sums helper naming it
Depending on the relationship of the build and signing server, the
signatures could either be appended during the package build process
or post build. Included in this patch set is a sample script that
opens the package, extracts the sha256sums file, appends the
signatures, and inserts the new sha256sums file with the appended
signatures in the deb package.
To install the file signatures, this patch set defines the debhelper
dh_installfile-sigs and the postinst-file-sigs autoscript. Although
the sha256sums file should contain signatures for all files, the
autoscript currently only installs the signatures for ELF files and
scripts, making them "immutable".
Mimi Zohar (3):
Define a new debhelper dh_installfile-sigs and postinst autoscript
Temporarily define a deb helper dh_sha256sums
Include sample script named ima-signhashes.sh
autoscripts/postinst-file-sigs | 17 +++++++
dh | 2 +
dh_installfile-sigs | 46 +++++++++++++++++++
dh_sha256sums | 101 +++++++++++++++++++++++++++++++++++++++++
examples/ima-signhashes.sh | 79 ++++++++++++++++++++++++++++++++
5 files changed, 245 insertions(+)
create mode 100644 autoscripts/postinst-file-sigs
create mode 100755 dh_installfile-sigs
create mode 100755 dh_sha256sums
create mode 100755 examples/ima-signhashes.sh