Fedora 36 May Support FS-VERITY Integrity/Authenticity Verification For RPMs

Fedora 36 may support using the Linux kernel's fs-verity code for allowing some interesting integrity and authenticity use-cases around RPM packages.

The Linux kernel's fs-verity module provides authenticity protection for read-only files for transparently verifying their integrity and authenticity when those files are on supported file-systems. FS-VERITY allows bulding a Merkle tree for a given file and that to persist with the file and later on the file can then be verified against that Merkle tree. This can allow for detecting corrupted files whether accidental or intentional of malicious nature, auditing of files, and other similar security use-cases.

A set of Facebook engineers are leading the charge to enable using fs-verity for validation of installed RPM files. The change would be transparent to users and only if installing the fs-verity RPM plug-in would the additional verification features be active.

This change proposal lays out the Facebook/Meta-led hopes for the fs-verity RPM support in next spring's Fedora 36 release. The change still needs to be evaluated by the Fedora Engineering and Steering Committee.

The change is interesting from the security perspective but there are some costs involved when it comes to the Merkle tree generation, signature overhead, etc, so we'll see if approved by FESCo and if so what sort of uptake it gets in Fedora 36.

Fedora 36 is expected for release by the end of April.