From 616a5cf29493bb0991e603e5cfb0ff4dbed3fb2b Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Tue, 19 May 2026 18:43:02 -0400
Subject: [PATCH] import UBI ima-evm-utils-1.6.2-4.el10

---
 ima-add-sigs.sh    |  2 +-
 ima-evm-utils.spec |  7 ++++++-
 ima-setup.sh       | 23 ++++++++++-------------
 3 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/ima-add-sigs.sh b/ima-add-sigs.sh
index 6be5c48..f0e9dd0 100755
--- a/ima-add-sigs.sh
+++ b/ima-add-sigs.sh
@@ -132,7 +132,7 @@ if [[ -z $reinstall_threshold ]]; then
 	fi
 fi
 
-unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" "$package" | grep -c "^(none)$")
+unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{RSAHEADER}\n" "$package" | grep -c "^(none)$")
 
 if [[ $unsigned_packages_in_rpm_db -ge $reinstall_threshold ]]; then
 	add_by_reinstall
diff --git a/ima-evm-utils.spec b/ima-evm-utils.spec
index 6af845f..c584ec4 100644
--- a/ima-evm-utils.spec
+++ b/ima-evm-utils.spec
@@ -8,7 +8,7 @@
 
 Name:    ima-evm-utils
 Version: 1.6.2
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: IMA/EVM support utilities
 License: GPLv2
 Url:     http://linux-ima.sourceforge.net/
@@ -138,6 +138,11 @@ install -m 644 %{SOURCE300} %{SOURCE301} $RPM_BUILD_ROOT/etc/keys/ima/
 %{_libdir}/libimaevm.so
 
 %changelog
+* Thu Oct 30 2025 Coiby Xu <coxu@redhat.com> - 1.6.2-4
+- ima-setup: Use RSAHEADER to tell if a package has been signed
+- ima-setup: skip installing rpm-plugin-ima if it has been installed (RHEL-99356)
+- ima-setup: rebuild all initramfs images to include the integrity dracut module (RHEL-92638)
+
 * Thu Jul 31 2025 Coiby Xu <coxu@redhat.com> - 1.6.2-3
 - Verify IMA signature to make sure it's correct
 
diff --git a/ima-setup.sh b/ima-setup.sh
index 4a61a28..8223374 100755
--- a/ima-setup.sh
+++ b/ima-setup.sh
@@ -50,10 +50,12 @@ if [[ $# -eq 0 ]]; then
 	usage
 fi
 
-echo "Installing prerequisite package rpm-plugin-ima"
-if ! dnf install rpm-plugin-ima -yq; then
-	echo "Failed to install rpm-plugin-ima, abort"
-	exit 1
+if ! rpm --quiet -q rpm-plugin-ima; then
+	echo "Installing prerequisite package rpm-plugin-ima"
+	if ! dnf install rpm-plugin-ima -yq; then
+		echo "Failed to install rpm-plugin-ima, abort"
+		exit 1
+	fi
 fi
 
 # Add IMA signatures
@@ -126,15 +128,10 @@ load_ima_keys
 # automatically when there is a system reboot
 if ! lsinitrd --mod | grep -q integrity; then
 	cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf
-	echo "Rebuilding the initramfs of kernel-$(uname -r) to include the dracut integrity module"
-	dracut -f
-
-	if command -v grubby >/dev/null; then
-		_default_kernel=$(grubby --default-kernel | sed -En "s/.*vmlinuz-(.*)/\1/p")
-		if [[ $_default_kernel != $(uname -r) ]]; then
-			echo "Current kernel is not the default kernel ($_default_kernel), include dracut integrity for it as well"
-			dracut -f --kver "$_default_kernel"
-		fi
+	echo "Regenerating all initramfs images to include the dracut integrity module"
+	if ! dracut -f --regenerate-all; then
+		echo "Failed to Regenerate all initramfs images"
+		exit 1
 	fi
 	[[ $(uname -m) == s390x ]] && zipl &> /dev/null
 fi