|
|
Subscribe / Log in / New account

Just strip the signature before comparing the rebuilt artifacts?

Just strip the signature before comparing the rebuilt artifacts?

Posted Mar 7, 2025 22:59 UTC (Fri) by bluca (subscriber, #118303)
In reply to: Just strip the signature before comparing the rebuilt artifacts? by Cyberax
Parent article: Hash-based module integrity checking

Right, so that instead of having some packages that are not independently reproducible and need to have exceptions applied, you have some packages that are not independently reproducible and need to have exceptions applied. Great success!

to post comments

Just strip the signature before comparing the rebuilt artifacts?

Posted Mar 8, 2025 0:33 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link] (5 responses)

> Right, so that instead of having some packages that are not independently reproducible

A small subset of packages with signature files won't be reproducible (by design). These packages can be audited to not have anything but signature data, while large packages like the kernel can be completely bit-for-bit reproducible.

And yes, it's strictly better than the status quo.

It can even be done in a flexible way, something like `/usr/lib/share/signtab` directory with files containing hash-to-signature mappings.

Just strip the signature before comparing the rebuilt artifacts?

Posted Mar 8, 2025 0:44 UTC (Sat) by bluca (subscriber, #118303) [Link] (4 responses)

> And yes, it's strictly better than the status quo.

No, it really is not - it's made-up nonsense that fails to solve a problem that doesn't exist while at the same time making everything worse on all aspects. But nice try.

Just strip the signature before comparing the rebuilt artifacts?

Posted Mar 8, 2025 0:48 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

I understand why systemd is such a mess now...

First, not _everyone_ needs or wants the kernel signatures. I don't need them, I have enrolled my own keys into the Secure Boot. But I for sure want to have a guarantee that my kernel was indeed built from the supplied sources. Ideally integrated into the package management system.

In my scenario, I just won't bother installing the non-reproducible signature packages. They can even be put into a separate package repository, actually (like it's done with non-free right now).

Just strip the signature before comparing the rebuilt artifacts?

Posted Mar 9, 2025 20:03 UTC (Sun) by k3ninho (subscriber, #50375) [Link] (2 responses)

I'm happier with a VM on a hyperscaler hosting platform that's able to chain together integrity measurements and for systemd to enable the chain.

K3n.

Just strip the signature before comparing the rebuilt artifacts?

Posted Mar 10, 2025 8:28 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

Which hyperscaler? AWS doesn't support TPM measurements.

Just strip the signature before comparing the rebuilt artifacts?

Posted Mar 12, 2025 13:45 UTC (Wed) by surajm (subscriber, #135863) [Link]

AWS supports it on bare metal VMs. Google Cloud and Azure support it on normal VMs.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds