Fedora 37 Looks To Begin Signing RPM Contents For Greater Trust

With Fedora 36 working its way towards release later this month, more developer attention and planning is turning to Fedora 37 that will be released this autumn. One of the changes being talked about this week is for signing RPM contents for a means of trusting the files that are executed.

The Fedora 37 change proposal is for adding IMA-based signatures to the individual files that are part of shipped RPM packages. This will allow for enforcing run-time policies by system administrators to ensure the execution of only trusted files or similar policies.

Fedora 36 is shipping in a few weeks while already there is feature talk around Fedora 37 for release towards the end of the year.

Files within RPMs would be signed with IMA signatures using a key that's maintained by the Fedora infrastructure team and installed on the sign vaults. These signatures could be used with the Integrity Measurement Architecture of the Linux kernel to allow execution based on policy. This wouldn't by default prevent users from executing non-official binaries/packages or the like but all the pieces would be there for system administrators wanting to enforce such policy. In other words, no restrictions would be put in place for the "average Fedora user."

The downside of this RPM signing is a slight increase to the size of the signed RPMs (about 1% larger) while the size of the RPM database can increase by about 20% based on tests.

Those interested in Fedora's RPM signing plans for F37 can see this change proposal for all the details on this likely security feature coming to Fedora Linux in the latter half of the year.