On 06/13/2010 05:24 PM, Robin H. Johnson wrote: > On Sun, Jun 13, 2010 at 03:08:07PM -0700, Nelson B Bolyard wrote: > >> On 2010-06-13 13:02 PDT, Robin H. Johnson wrote: >> >>> On Sun, Jun 13, 2010 at 02:02:39AM -0700, Nelson B Bolyard wrote: >>> >>>>> The root of the problem is that the shared libraries can change >>>>> POST-install, as needed for ELF signing, split-debug and prelinking. The >>>>> ELF signing is a catch-22. Either I have to run shlibsign afterwards, or >>>>> I have to not sign those files, and leave them open to potential >>>>> compromise. >>>>> >>>> Rerun shlibsign. It's fast and easy. >>>> I think rerunning shlibsign is probably your best option.
We have traditionally been turning off prelinking for softoken and freebl on fedora, since prelink can run periodically (usually we find FIPS breaking overnight). There is a patch checked into the SOFTOKEN_3_13 branch which allows you to prelink the library, the integrity check program would ask prelink to return the unmodified library, which it will check against rather than the actual on disk version. I don't know how that would interact with ELF signing and split-debug. You can control the actual prelink command for you distribution with an environment variable at build time. I definitely suggest you run shlibsign after any 'static' operations (those operations that are run once). bob
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
