From 9cf24d89f94132e837903b9e5777ed6093e59a10 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 13 Mar 2025 15:51:38 -0700 Subject: [PATCH] Add note / section about creating the .der file for ima and adding it to fedora-repos Signed-off-by: Kevin Fenzi --- .../release_guide/pages/create_release_signing_key.adoc | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/release_guide/pages/create_release_signing_key.adoc b/modules/release_guide/pages/create_release_signing_key.adoc index abf6dc7..ad3ba1c 100644 --- a/modules/release_guide/pages/create_release_signing_key.adoc +++ b/modules/release_guide/pages/create_release_signing_key.adoc @@ -144,8 +144,12 @@ $ sigul -v -v sign-certificate fedorasigulca fedora-41-ima --issuer-certificate- NOTE: Change the name from `41/fourtyone` to the appropriate release version. -We need to find the best way to get the certificate to the kernel maintainers. It is recommended to ask them directly. Additionally, we need to add it to `fedora-repos` like the other keys. +This .pem file then needs to be converted to a 'der' file (which is what IMA natively uses): +openssl x509 -inform PEM -in fedora-44-ima.pem -outform DER -out fedora-44-ima.der + +The .der file should be added to fedora-repos package and the kernel should trust it +because it's signed by our CA. === fedora-repos @@ -477,4 +481,4 @@ Verify that ``/etc/koji-gc/koji-gc.conf`` has the new key in it. == Consider Before Running -Nothing at this time. \ No newline at end of file +Nothing at this time.