Add note / section about creating the .der file for ima and adding it to fedora-repos
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi
zlopez
parent
cd23af3f9b
commit
9cf24d89f9
1 changed files with 6 additions and 2 deletions
|
|
@ -144,8 +144,12 @@ $ sigul -v -v sign-certificate fedorasigulca fedora-41-ima --issuer-certificate-
|
|||
|
||||
NOTE: Change the name from `41/fourtyone` to the appropriate release version.
|
||||
|
||||
We need to find the best way to get the certificate to the kernel maintainers. It is recommended to ask them directly. Additionally, we need to add it to `fedora-repos` like the other keys.
|
||||
This .pem file then needs to be converted to a 'der' file (which is what IMA natively uses):
|
||||
|
||||
openssl x509 -inform PEM -in fedora-44-ima.pem -outform DER -out fedora-44-ima.der
|
||||
|
||||
The .der file should be added to fedora-repos package and the kernel should trust it
|
||||
because it's signed by our CA.
|
||||
|
||||
=== fedora-repos
|
||||
|
||||
|
|
@ -477,4 +481,4 @@ Verify that ``/etc/koji-gc/koji-gc.conf`` has the new key in it.
|
|||
|
||||
== Consider Before Running
|
||||
|
||||
Nothing at this time.
|
||||
Nothing at this time.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue