Distributing files with signatures

Session information has not yet been published for this event.

60 Minute BoF session
Scheduled: Thursday, November 3, 2016 from 7:00 – 8:00pm in Sweeney F

One Line Summary

Linux can enforce signature checking on all files and make sure only trusted software can be executed, but this requires that the file signatures be packaged, distributed, and installed together with the files. This BoF aims to bring together people working on package management systems to discuss the different methods of including file signatures in software packages.


The Integrity Measurement Architecture (IMA), which can be configured to enforce signature checking on all files, can be leveraged to allow access to only unmodified software, installed from trusted sources. To achieve this goal on Linux will require distros and other software providers to sign not only their software packages, but the individual files included in these packages.

The purpose of this BoF is to bring together people working on package management systems of distros, to work out the issues preventing the adoption of file signature enforcement. Some issues we need to discuss are:
- How should the signing keys be distributed?
- What level of signing key granularity (e.g. per repo, per package, per package version) is needed.
— For example, if we can sign each version of each software with a different key, then we can revoke the certificate for a vulnerable version after a security update. This would prevent the execution of the vulnerable version, and the version rollback attack.
- How do we revoke certificates?
- How would the user manage the keys in the IMA keyring?


file signatures, ima-appraisal, distro package managers