Package: ima-evm-utils
Version: 1.1-1+b1
Severity: normal
Dear Maintainer,
EVM signatures can be created with the option '--portable | -o ' to get
rid of a hashing of i_version and fsuuid.
When files should be verified after a signing with '--portable' on the
host, the tooling returns with "Verification failed" unless
the signing itself is correct.
The cause for this issue is a missing implementation for the probing
and verification of portable signatures.
A patch for this issue is already available in the official git source
of the ima-evm-utils tooling:
https://git.code.sf.net/p/linux-ima/ima-evm-utils
f4b901d081ec ("Add support for verifying portable EVM signatures")
The wrong checking of the signature format results in a false-positive
error.
Note, that this bug also affects version 1.3.2-2.1 provided
by Debian/SID https://packages.debian.org/sid/ima-evm-utils.
The official release 1.4 of the ima-evm-utils contains this fixes.
Please update the package version near-term.
Note:
ima-evm-utils were installed on my host manually since Debian Buster
does not provide a mainline ima-evm-utils version.
Thanks,
Steffen
The mentioned version above
-- System Information:
Debian Release: 10.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf, arm64
Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ima-evm-utils depends on:
ii attr 1:2.4.48-4
ii keyutils 1.6-6
ii libc6 2.28-10
ii libimaevm0 1.1-1+b1
ii libkeyutils1 1.6-6
ii libssl1.1 1.1.1d-0+deb10u7
ima-evm-utils recommends no packages.
ima-evm-utils suggests no packages.
-- no debconf information
