Bug 2076296

Summary: Signed RPM Contents
Product: [Fedora] Fedora Reporter: Ben Cotton <bcotton>
Component: Changes TrackingAssignee: Peter Robinson <pbrobinson>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 37CC: bcotton, coxu, pbrobinson, puiterwijk
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 16:22:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2016049    

Description Ben Cotton 2022-04-18 15:27:29 UTC 
This is a tracking bug for Change: Signed RPM Contents
For more details, see: https://fedoraproject.org/wiki/Changes/Signed_RPM_Contents

We want to add signatures to individual files that are part of shipped RPMs.

If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.
Comment 1 Ben Cotton 2022-07-19 15:24:56 UTC 
The proposal for this Change indicated a contingency deadline of "mass rebuild", which is scheduled to begin tomorrow. Is this Change ready or does it need to be deferred to F38?
Comment 2 Peter Robinson 2022-07-24 13:19:11 UTC 
This is in place
Comment 3 Ben Cotton 2022-11-15 16:22:28 UTC 
F37 was released today, so I am closing this tracker. If this Change was not completed, please notify me ASAP.
Comment 4 Coiby 2022-12-05 08:29:37 UTC 
This change isn't complete. After installing rpm-plugin-ima and reinstalling bash on Fedora-Cloud-Base-37-1.7.x86_64.qcow2, I don't see a security.ima extended attribute. 

```
[root@ibm-p8-kvm-03-guest-02 ~]# dnf install attr rpm-plugin-ima -y

[root@ibm-p8-kvm-03-guest-02 ~]# getfattr -m - -d /bin/bash
getfattr: Removing leading '/' from absolute path names
# file: bin/bash
security.selinux="system_u:object_r:shell_exec_t:s0"

[root@ibm-p8-kvm-03-guest-02 ~]# dnf reinstall bash -y

[root@ibm-p8-kvm-03-guest-02 ~]# getfattr -m - -d /bin/bash
getfattr: Removing leading '/' from absolute path names
# file: bin/bash
security.selinux="system_u:object_r:shell_exec_t:s0"
```
Comment 5 Peter Robinson 2023-06-07 12:07:51 UTC 
(In reply to Coiby from comment #4)
> This change isn't complete. After installing rpm-plugin-ima and reinstalling
> bash on Fedora-Cloud-Base-37-1.7.x86_64.qcow2, I don't see a security.ima
> extended attribute. 

We had a bug in F-37 where it wrote it to the wrong location, that is fixed in F-38.