Re: [Linux-ima-user] Tried to sign files and read with getfattr (unsuccessfully)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,


On 23 January 2015 at 07:04, Curtis Veit <cr...@so...> wrote:

> Thanks for the help Mimi, Sorry about all the questions and issues.
> Hoping someone on the list might have an idea about what I'm doing wrong.
>
> I have found that something is going wrong when I attempt to sign files.
> I have tried the following on three systems.
> - Unbuntu 14.04 development system.
> - Ubuntu 14.04 server target system (pretty much bare bones)
> - Ubuntu 14.10 server (To try the Ubuntu compiled evmctl 0.8 from
>   ima-evm-utils deb)
> On the 14.04 systems I compiled the 0.9 version of ima-evm-utilities.
>
> I followed the instructions (all excpt TPM) for making keys and certs in
> the evmctl(1) document. There are a number of methods shown and honestly
> I am not sure which is best. (recommendations?) I have tried using several
> of the resulting keys for signing but would prefer to use "trusted"
>  keys signed as shown in the last section before the signing examples.
>
> I tried the following commands on a short text file and examined the result
> with "getfattr -e hex test.txt"
> "evmctl sign --imahash test.txt"
> "evmctl sign --rsa --imahash test.txt"
> "evmctl sign --imasig test.txt"
> "evmctl sign --rsa --imasig test.txt"
> "evmctl ima_sign test.txt"
> "evmctl ima_sign --rsa test.txt"
>
> In all cases the result shown by "getfattr -e hex test.txt" is blank.
> I was able to set and read xattrs with getfattr and also was able to
> use -f to create a .sig file containing a signature.
>
>
By default getfattr does not read "security" attributes.
Use -m option

getfattr -h -e hex -d -m security foo

- Dmitry


> Any ideas about why I am not getting xattrs signatures when using evnctl?
>
> Thanks and best regards!
>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
> _______________________________________________
> Linux-ima-user mailing list
> Lin...@li...
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user
>


-- 
Thanks,
Dmitry