import UBI ima-evm-utils-1.6.2-2.el9

.gitignore

@@ -1,3 +1,3 @@
 SOURCES/centosimarelease-9.der
-SOURCES/ima-evm-utils-1.5.tar.gz
+SOURCES/ima-evm-utils-1.6.2.tar.gz
 SOURCES/redhatimarelease-9.der

.ima-evm-utils.metadata

@@ -1,3 +1,3 @@
 61d5a223ff0c79189505abae77e0087c4b2d2b47 SOURCES/centosimarelease-9.der
-87b19af821da481a50e820958f75104878442472 SOURCES/ima-evm-utils-1.5.tar.gz
+41095bb1d9ddeb166cdfb81338dc5d671f623f1c SOURCES/ima-evm-utils-1.6.2.tar.gz
 99e571f9de4188f3b5fdf1f84ff73f6cc4bb6a0e SOURCES/redhatimarelease-9.der

SOURCES/ima-add-sigs.sh

@@ -4,7 +4,7 @@
 usage() {
 	echo "Add IMA signatures to installed packages."
 	cat <<EOF
-usage: $0 [--package=PACKAGE_NAME|ALL] [--ima-cert=IMA_CERT_PATH] [--reinstall_threshold=NUM]
+usage: $0 [--package=PACKAGE_NAME|ALL] [--ima_cert=IMA_CERT_PATH] [--reinstall_threshold=NUM]
 
        --package
        By default, it will add IMA sigantures to all installed package files.
@@ -19,7 +19,7 @@ usage: $0 [--package=PACKAGE_NAME|ALL] [--ima-cert=IMA_CERT_PATH] [--reinstall_t
        this case by checking if there are >reinstall_threshold package missing
        IMA signatures.
 
-       --ima-cert
+       --ima_cert
        With the signing IMA cert path specified, it will also try to verify the
        added IMA signature.
 
@@ -53,12 +53,35 @@ abort() {
 	exit 1
 }
 
+get_system_ima_key() {
+	source /etc/os-release
+	local -A name_map=(['Fedora Linux']="fedora" ['Red Hat Enterprise Linux']="redhatimarelease" ['CentOS Stream']='centosimarelease')
+	local version_id
+	key_name=${name_map[$NAME]}
+	version_id=${VERSION_ID/.?/}
+
+	[[ $key_name == fedora ]] && name_suffix=-ima
+	key_path=/etc/keys/ima/${key_name}-${version_id}${name_suffix}.der
+	if [[ ! -e $key_path ]]; then
+		echo "Failed to get system IMA code verification key"
+		exit 1
+	fi
+
+	echo -n "$key_path"
+}
+
 # Add IMA signatures from RPM database
 add_from_rpm_db() {
 	if ! command -v setfattr &>/dev/null; then
 		abort "Please install attr"
 	fi
 
+	if [[ -e "$ima_cert" ]]; then
+		verify_ima_cert=$ima_cert
+	else
+		verify_ima_cert=$(get_system_ima_key)
+	fi
+
 	# use "|" as deliminator since it won't be used in a filename or signature
 	while IFS="|" read -r path sig; do
 		# [[ -z "$sig" ]] somehow doesn't work for some files that don't have IMA
@@ -72,16 +95,22 @@ add_from_rpm_db() {
 			continue
 		fi
 
+		# Skip some files that are created on the fly
+		if [[ $path == "/usr/share/mime/"* || $path == "/etc/pki/ca-trust/extracted/"* ]]; then
+			continue
+		fi
+
 		if ! setfattr -n security.ima "$path" -v "0x$sig"; then
 			echo "Failed to add IMA sig for $path"
 		fi
 
-		[[ -e "$ima_cert" ]] || continue
-		# TODO
-		# don't verify the modified files like /etc?
-		if ! evmctl ima_verify -k "$ima_cert" "$path" &>/dev/null; then
-			echo "Failed to verify $path"
+		if ! evmctl ima_verify -k "$verify_ima_cert" "$path" &>/dev/null; then
+			setfattr -x security.ima "$path"
+			# When ima_cert is set, shows the verfication result for users
+			[[ -e "$ima_cert" ]] && "Failed to verify $path"
+			continue
 		fi
+
 	done < <(rpm -q --queryformat "[%{FILENAMES}|%{FILESIGNATURES}\n]" "$package")
 }
 
@@ -103,7 +132,7 @@ if [[ -z $reinstall_threshold ]]; then
 	fi
 fi
 
-unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" "$package" | grep "^(none)$" | wc -l)
+unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" "$package" | grep -c "^(none)$")
 
 if [[ $unsigned_packages_in_rpm_db -ge $reinstall_threshold ]]; then
 	add_by_reinstall

SOURCES/ima-setup.sh

@@ -33,7 +33,7 @@ for _opt in "$@"; do
 	--policy=*)
 		ima_policy_path=${_opt#*=}
 		if [[ ! -e $ima_policy_path ]]; then
-			echo "$policy_file doesn't exist"
+			echo "$ima_policy_path doesn't exist"
 			exit 1
 		fi
 		;;
@@ -61,7 +61,7 @@ if test -f /run/ostree-booted; then
 	echo "You are using OSTree, please enable IMA signatures as part of the OSTree creation process."
 else
 	echo "Adding IMA signatures to installed package files"
-	if ! ima-add-sigs; then
+	if ! ima-add-sigs --reinstall_threshold="$reinstall_threshold"; then
 		echo "Failed to add IMA signatures, abort"
 		exit 1
 	fi
@@ -136,7 +136,7 @@ if ! lsinitrd --mod | grep -q integrity; then
 			dracut -f --kver "$_default_kernel"
 		fi
 	fi
-
+	[[ $(uname -m) == s390x ]] && zipl &> /dev/null
 fi
 
 if ! load_ima_policy "$ima_policy_path"; then

SPECS/ima-evm-utils.spec

@@ -3,12 +3,12 @@
 %global bootstrap 0
 
 %if 0%{bootstrap}
-%global compat_soversion 3
+%global compat_soversion 4
 %endif
 
 Name:    ima-evm-utils
-Version: 1.5
-Release: 3%{?dist}
+Version: 1.6.2
+Release: 2%{?dist}
 Summary: IMA/EVM support utilities
 License: GPLv2
 Url:     http://linux-ima.sourceforge.net/
@@ -27,7 +27,7 @@ Source301: centosimarelease-9.der
 
 %if 0%{bootstrap}
 # compat source and patches
-Source10: ima-evm-utils-1.4.tar.gz
+Source10: ima-evm-utils-1.5.tar.gz
 %endif
 
 BuildRequires: asciidoc
@@ -123,7 +123,7 @@ install -m 644 %{SOURCE300} %{SOURCE301} $RPM_BUILD_ROOT/etc/keys/ima/
 %{_bindir}/ima-setup
 
 # if you need to bump the soname version, coordinate with dependent packages
-%{_libdir}/libimaevm.so.4*
+%{_libdir}/libimaevm.so.5*
 %if 0%{bootstrap}
 %{_libdir}/libimaevm.so.%{compat_soversion}
 %{_libdir}/libimaevm.so.%{compat_soversion}.0.0
@@ -138,6 +138,14 @@ install -m 644 %{SOURCE300} %{SOURCE301} $RPM_BUILD_ROOT/etc/keys/ima/
 %{_libdir}/libimaevm.so
 
 %changelog
+* Thu Jul 31 2025 Coiby Xu <coxu@redhat.com> - 1.6.2-2
+- Verify IMA signature to make sure it's correct (RHEL-105471)
+- Drop old libimaevm.so.4 (RHEL-82797)
+
+* Mon Mar 10 2025 Coiby Xu <coxu@redhat.com> - 1.6.2-1
+- ima-setup: run zipl after building initramfs for s390x (RHEL-72293)
+- update to upstream 1.6.2 (RHEL-82793)
+
 * Wed Nov 13 2024 Coiby Xu <coxu@redhat.com> - 1.5-3
 - Skip unsupported file systems for sample appraisal rule (RHEL-62817)