From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id B02F7385558C; Thu, 6 Jul 2023 19:49:14 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B02F7385558C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1688672954; bh=eniAGZyO2CKb69IQbO6Yd3LMxiZTLqhR8Vya+0vW8Dg=; h=From:To:Subject:Date:In-Reply-To:References:From; b=u5rik7wc8i7l6p/PpRhIGzQmY00JpgG1y5C7ChrPs8keSahaQtoaQhYAmqGaXC3v5 rBPGk7udYbFZH0YhsqHRaLmlo4E8q1dgvZAKqpPEAXxJacCzyBzwPOd0tiAMHR8bUi J+xF14SZMcVgm5qEJWjxntVO45usQHgNz7ziL36I= From: "rgoldber at redhat dot com" To: elfutils-devel@sourceware.org Subject: [Bug debuginfod/28204] extend webapi / verification with forthcoming signed-contents archives Date: Thu, 06 Jul 2023 19:49:13 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: elfutils X-Bugzilla-Component: debuginfod X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: rgoldber at redhat dot com X-Bugzilla-Status: ASSIGNED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: rgoldber at redhat dot com X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D28204 Ryan Goldberg changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #10 from Ryan Goldberg --- Hi, it has been quite the journey, but the latest draft of this patch is re= ady for review It is sitting on the try-branch users/rgoldber/try-bz28204c (figure'd it was big enough that just looking at a patch might be hard to follow) Since the last review the major changes are as follows * I added a --koji-sigcache flag to the server which will enable koji speci= fic mappings of rpm paths to get IMA signatures.=20 * DEBUGINFOD_IMA_CERT_PATH can now include paths to dirs containing PEM and= DER encoded certificates. And will be traversed looking for the first cert which has a skid matching the signature which we need to validate. * The verification certificates for RHEL and CentOS have been finalized and= we have a green light to distribute copies of them alongside our source (since they have not been formally published to a known location yet). They are in debuginfod/ima-certs and will be installed to $(sysconfdir)/debuginfod/ima-certs. DEBUGINFOD_IMA_CERT_PATH will by default include this path. This dir also has copies of the current fedora verificat= ion certs (which are already public but not yet backported to f38 [fedora-repos commit 93b2c8a]) --=20 You are receiving this mail because: You are on the CC list for the bug.=