On Sun, Jun 13, 2010 at 03:08:07PM -0700, Nelson B Bolyard wrote: > On 2010-06-13 13:02 PDT, Robin H. Johnson wrote: > > On Sun, Jun 13, 2010 at 02:02:39AM -0700, Nelson B Bolyard wrote: > >>> The root of the problem is that the shared libraries can change > >>> POST-install, as needed for ELF signing, split-debug and prelinking. The > >>> ELF signing is a catch-22. Either I have to run shlibsign afterwards, or > >>> I have to not sign those files, and leave them open to potential > >>> compromise. > >> Rerun shlibsign. It's fast and easy. > > As an intermediate related question, is there a standalone verification > > tool for the CHK files > > > > shlibsign -V -i .... seems to just sign again, not verify. > Yes. modutil is that test tool. You already know how to use it. > Just drop the -force argument. I should have clarified, that I want to verify without any disk writes, nor assuming a pre-setup database.
# modutil -chkfips true modutil: function failed: security library: bad database. Just exactly that the chk files are valid, and nothing else. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
