[debhelper-devel] [RFC PATCH v1 0/3] Including file signatures in .deb packages

[Mimi Zohar]

File signatures are used to enforce local file integrity and to provide
file provenance. IMA-appraisal with digital signature support, which
enforces local file integrity based on file signatures, was upstreamed
in Linux-3.7.  The "ima-sig" measurement list template, which includes
file signatures in the measurement list, was upstreamed in Linux-3.13.

This patch set adds debhelper support for adding file signatures to .deb
packages and for installing those signatures as 'security.ima' extended
attributes at package install time.  The existing md5sums file contains
the file hash and name for each file included in the package, making it
the most logical place for storing file signatures.  This patch set
extends the dh_md5sums debhelper to support additional, larger digests
and renames the debhelper to dh_checksums.

Depending on the relationship of the build and signing server, the
signatures could either be included in the checksums files during the
package build process or post build.  Included in this patch set is a
sample script that opens the package, extracts the checksums file,
includes the file signatures, and inserts the modified checksums file
with the file signatures in the deb package.

To install the file signatures as 'security.ima' extended attributes,
this patch set defines the dh_installfile-sigs debhelper and the
postinst-file-sigs autoscript.  Although the checksums file should
contain signatures for all files, the autoscript currently installs
only the signatures for ELF files and scripts, making them "immutable"
on systems with IMA-appraisal enabled and configured in enforcing mode.

Changelog v1:
- Extend dh_md5sums debhelper to support larger digests, renaming it to
dh_checksums.

Mimi Zohar (3):
  Define a new debhelper dh_installfile-sigs and postinst autoscript
  Replace dh_md5sums debhelper with dh_checksums
  Include sample script named ima-signhashes.sh

 autoscripts/postinst-file-sigs |  30 +++++++++++
 dh                             |   3 +-
 dh_checksums                   | 118 +++++++++++++++++++++++++++++++++++++++++
 dh_installfile-sigs            |  46 ++++++++++++++++
 dh_md5sums                     | 100 ----------------------------------
 examples/ima-signhashes.sh     |  87 ++++++++++++++++++++++++++++++
 man/po4a/po4a.cfg              |   2 +-
 7 files changed, 284 insertions(+), 102 deletions(-)
 create mode 100644 autoscripts/postinst-file-sigs
 create mode 100755 dh_checksums
 create mode 100755 dh_installfile-sigs
 delete mode 100755 dh_md5sums
 create mode 100755 examples/ima-signhashes.sh

-- 
1.8.1.4