Bug 2231396

Summary: Some RPM packages do not seem to carry IMA file signatures
Product: [Fedora] Fedora Reporter: Stefan Berger <stefanb>
Component: distributionAssignee: Aoife Moloney <amoloney>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 38CC: ansasaki, kevin, scorreia
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-14 16:17:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stefan Berger 2023-08-11 13:36:38 UTC 
Some packages in Fedora 38 don't seem to carry IMA file signatures.

With the rpm-plugin-ima installed on my system I get file signatures installed for most files but not all of them. Some packages I found without IMA file signatures are:

jq-1.6-15.fc38.x86_64.rpm
gpgme-1.17.1-3.fc38.x86_64
uresourced-0.5.3-2.fc37.x86_64    ; F37 package that should be rebuilt
guile-2.0.14-30.fc38.x86_64
fcoe-utils-1.0.34-3.gitb233050.fc37.x86_64  ; F37 package ...



Reproducible: Always

Steps to Reproduce:
1. dnf -y install rpm-plugin-ima
2. dnf -y install jq
3. getfattr -m ^sec -e hex --dump /usr/bin/jq

The last command returns nothing for security.ima


Actual Results:  
# getfattr -m ^security -e hex --dump /usr/bin/jq
getfattr: Removing leading '/' from absolute path names
# file: usr/bin/jq
security.selinux=0x73797374656d5f753a6f626a6563745f723a62696e5f743a733000


Expected Results:  
There should be a security.ima xattr.

Other way to find unsigned files:

getfattr -m ^security -e hex --dump /usr/*bin/* | grep -v security.selinux | less
Comment 1 Stefan Berger 2023-08-14 16:17:59 UTC 
Upgraded to F39 and it looks better there now.