import UBI ima-evm-utils-1.6.2-4.el10

2026-05-19 18:43:02 -04:00 · 2026-05-19 18:43:02 -04:00 · 616a5cf294
commit 616a5cf294
parent c29eac902a
3 changed files with 17 additions and 15 deletions
--- a/ima-add-sigs.sh
+++ b/ima-add-sigs.sh
@ -132,7 +132,7 @@ if [[ -z $reinstall_threshold ]]; then
 	fi
 fi

-unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" "$package" | grep -c "^(none)$")
+unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{RSAHEADER}\n" "$package" | grep -c "^(none)$")

 if [[ $unsigned_packages_in_rpm_db -ge $reinstall_threshold ]]; then
 	add_by_reinstall
--- a/ima-evm-utils.spec
+++ b/ima-evm-utils.spec
@ -8,7 +8,7 @@

 Name:    ima-evm-utils
 Version: 1.6.2
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: IMA/EVM support utilities
 License: GPLv2
 Url:     http://linux-ima.sourceforge.net/
@ -138,6 +138,11 @@ install -m 644 %{SOURCE300} %{SOURCE301} $RPM_BUILD_ROOT/etc/keys/ima/
 %{_libdir}/libimaevm.so

 %changelog
+* Thu Oct 30 2025 Coiby Xu <coxu@redhat.com> - 1.6.2-4
+- ima-setup: Use RSAHEADER to tell if a package has been signed
+- ima-setup: skip installing rpm-plugin-ima if it has been installed (RHEL-99356)
+- ima-setup: rebuild all initramfs images to include the integrity dracut module (RHEL-92638)
+
 * Thu Jul 31 2025 Coiby Xu <coxu@redhat.com> - 1.6.2-3
 - Verify IMA signature to make sure it's correct

--- a/ima-setup.sh
+++ b/ima-setup.sh
@ -50,10 +50,12 @@ if [[ $# -eq 0 ]]; then
 	usage
 fi

-echo "Installing prerequisite package rpm-plugin-ima"
-if ! dnf install rpm-plugin-ima -yq; then
-	echo "Failed to install rpm-plugin-ima, abort"
-	exit 1
+if ! rpm --quiet -q rpm-plugin-ima; then
+	echo "Installing prerequisite package rpm-plugin-ima"
+	if ! dnf install rpm-plugin-ima -yq; then
+		echo "Failed to install rpm-plugin-ima, abort"
+		exit 1
+	fi
 fi

 # Add IMA signatures
@ -126,15 +128,10 @@ load_ima_keys
 # automatically when there is a system reboot
 if ! lsinitrd --mod | grep -q integrity; then
 	cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf
-	echo "Rebuilding the initramfs of kernel-$(uname -r) to include the dracut integrity module"
-	dracut -f
-
-	if command -v grubby >/dev/null; then
-		_default_kernel=$(grubby --default-kernel | sed -En "s/.*vmlinuz-(.*)/\1/p")
-		if [[ $_default_kernel != $(uname -r) ]]; then
-			echo "Current kernel is not the default kernel ($_default_kernel), include dracut integrity for it as well"
-			dracut -f --kver "$_default_kernel"
-		fi
+	echo "Regenerating all initramfs images to include the dracut integrity module"
+	if ! dracut -f --regenerate-all; then
+		echo "Failed to Regenerate all initramfs images"
+		exit 1
 	fi
 	[[ $(uname -m) == s390x ]] && zipl &> /dev/null
 fi