Fedora 34 Looks To Sign Individual Files Within RPMs

Yet another big change being eyed for Fedora 34 is to sign individual files within shipped RPM packages. The signatures will use the Linux Integrity Measurement Architecture (IMA) and in turn can be used to enforce run-time policies around only allowing the execution of trusted files.

The proposal laid out this week is to sign all files within Fedora RPMs with IMA signatures. The signatures will be made using a key held by the Fedora Infrastructure team.

By leveraging the Linux Integrity Measurement Architecture, IMA policies can be created by interested users/administrators such as only allowing "trusted" (signed) executables to be run on the system or other similar security policies.

More details on this plan for signing the contents on Fedora RPMs beginning with Fedora 34 can be found via the Fedora Project Wiki. The Fedora Engineering and Steering Committee still needs to review this proposal and as it's considered a late system-wide change does risk potentially being punted to Fedora 35 later this year, but in any case it looks like this year Fedora could be better supporting IMA for increased system security.