The IMA signature verification keys from the fedora-gpg-keys-39-0.5.noarch package are missing the Subject Key Identifier that is necessary to be able to load them onto the .IMA keyring. $ openssl x509 -inform der -in /etc/keys/ima/fedora-39-ima.der -text Certificate: Data: Version: 3 (0x2) Serial Number: 42 (0x2a) Signature Algorithm: ecdsa-with-SHA384 Issuer: CN = Fedora 39 IMA CA Validity Not Before: Feb 18 18:04:16 2023 GMT Not After : Feb 18 18:04:16 2053 GMT Subject: CN = Fedora 39 IMA Key Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:f5:41:95:b8:67:f0:bc:fd:3c:b0:f4:2e:aa:72: 49:af:63:83:16:53:74:89:a9:db:16:f2:31:eb:3e: 2f:dd:4c:9e:d5:85:2a:3e:61:47:ce:87:7b:d9:0d: f3:b2:a9:84:fb:ac:a3:a5:9d:44:f0:cb:7f:8a:2e: 6a:b4:9a:35:d1 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Authority Key Identifier: A7:14:3E:CB:64:D0:C4:CA:F3:9D:0C:7D:C4:38:45:46:D8:53:FF:52 Netscape Comment: IMA signature verification key Signature Algorithm: ecdsa-with-SHA384 Signature Value: 30:65:02:31:00:b2:40:cf:6e:21:9b:82:ee:3f:d7:85:78:0c: 82:18:a8:d6:76:aa:c1:20:08:76:11:ce:e4:52:99:00:2e:ab: df:64:76:61:3f:fa:a1:86:a0:31:28:43:8e:ea:fe:ba:66:02: 30:60:e6:cb:75:69:97:4c:63:76:24:64:4b:63:a2:b0:71:4a: 29:ad:70:04:09:36:06:5f:d1:e3:1a:ab:f6:ff:bc:6b:b7:b8: 42:4b:0a:a3:a4:8a:f6:f5:75:ce:8b:69:af The Subject Key Identifier's last 4 digits will have to be 0x388b603e so that the key can be used to verify the signature of 'bash': $ getfattr -m ^security.ima -e hex --dump /usr/bin/bash getfattr: Removing leading '/' from absolute path names # file: usr/bin/bash security.ima=0x030204388b603e0048304602210090a328b99a8e65cbea51660b5824a548955ddc491aa68982e4389f30960d1a9b022100e9a034b9203793b66e205a76c92c2aa137b9819fb7763f6fe1fbcb72352e9f8f The 4th-7th digit of security.ima is '0x388b603e'. Once the key has the Subject Key Identifier, the following should then work if the key's CA has been built into the Linux kernel: [root@fedora ~]# keyctl padd asymmetric "" %keyring:.ima < /etc/keys/ima/fedora-39-ima.der add_key: Required key not available Reproducible: Always Steps to Reproduce: 1. openssl x509 -inform der -in /etc/keys/ima/fedora-39-ima.der -text Actual Results: No Subject Key Identifier displayed Expected Results: Subject Key Identifier should be there
Fedora Linux 39 entered end-of-life (EOL) status on 2024-11-26. Fedora Linux 39 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.