Starting version 1.4.4.0, PowerVC signs all packages that it ships and installs, thereby providing additional security. This also prevents package tampering by malicious entities.
What is signing?
Signing, done at the sender’s end, refers to public key encryption of hash of the target. At the receiver’s end, the hash of the target is generated again and compared with the decrypted signature’s hash to check if they are same; if same, then there was no tampering with the target.
What is the need for signing packages?
Package signing enables customers to verify that the packages they received from a source are indeed from that source & were not tampered with. In case of a tampered package, the signature verification fails & customers can choose not to install those packages. PowerVC now signs all packages it ships to provide enhanced security during installation. If the package signature verification fails during installation, then installation is aborted.
Package signing in PowerVC
The packages PowerVC installs are signed using a private GPG key and the public key is shipped with the installer. The verification of these packages happens during PowerVC installation on management node, compute node & network node. To learn more see PowerVC Standard & Cloud KC links.
There are 2 types of packages that PowerVC ships - RPMS & Debian (DEBS). The strategy used for signing both is different.
- RPMS - PowerVC signs every individual RPM that it ships.
DEBS - PowerVC signs the debian repo which it creates during installation.
What does it mean for PowerVC Customers?
Package signing in PowerVC provides improved security to our customers. From an end-user installation perspective, there are no changes in the user experience. Packages shipped as part of the installer are signed packages, that are installed successfully with the help of a public key.
How does this impact packages installed directly from RHEL?
PowerVC installation (any release) depends on packages that are automatically installed from RHEL repositories that are configured on the RHEL VM, where PowerVC is being installed. These prerequisite packages come from RHEL repo and are not shipped as part of PowerVC installer. These packages may or may not be signed; it completely depends upon how the RHEL repository is configured. Even if the packages installed from these repositories are not signed, it does not impact PowerVC installation as they come from a different repository. Customers do not have to make any additional changes to any of their existing repositories to make PowerVC installation work successfully.
Is there an option to install with unsigned packages?
Customers do not have a choice to use unsigned packages. PowerVC, starting from version 1.4.4.0, will always be shipped with signed packages and the signature will be verified during installation.
Manual signature verification
Although the package signature gets verified automatically during installation, system administrators performing installation, if interested can manually verify the signature.
For RPMs, run the below command,
$ rpm –checksig novnc-0.6.2-1.ibm.el7.noarch.rpm
(novnc-0.6.2-1.ibm.el7.noarch.rpm signifies any rpm that you want to check)
Before running the above command, make sure that PowerVC public key is imported into the local GPG keyring. PowerVC’s public key is automatically added to the keyring during installation. The below command lists all the keys present in the local GPG keyring.
$ rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
If PowerVC public key is not present in the list, then run the below command to import it,
$ rpm --import /path/to/RPM-GPG-KEY-PowerVC
(path/to/RPM-GPG-KEY-PowerVC will be in the base directory where PowerVC was installed)
Note: For DEBS, manual signature check is not possible as signing happens at repo level & repository gets created only during installation.
Public Key Verification
Administrators can also verify if the RPM-GPG-KEY-PUBLIC they have received as part of PowerVC installer was not tampered by comparing it with the publicly available PowerVC GPG public key available at - http://public.dhe.ibm.com/systems/virtualization/powervc/public_gpg_key/RPM-GPG-KEY-PUBLIC
PowerVC Upgrade & PowerVC Backup/Restore after Package signing
There will not be any visible impact of signing packages on the PowerVC upgrade (or backup/restore flows) from previous supported versions to PowerVC 1.4.4.0 or future releases. When PowerVC is upgraded from an older release to 1.4.4.0, the signed packages will be automatically installed without needing any additional configuration.
General troubleshooting
1. If there is some error because the installer couldn’t find the public key, then make sure that the public key is imported in the keyring.
2. If the installation fails because of signature verification, then it might be the case that some package was tampered.
3. When IBM PowerVM Novalink gets upgraded (older to newer version) as part of PowerVC upgrade), make sure that the public key of PowerVM Novalink from its public cloud is added to the keyring if it’s not already present on the PowerVM Novalink host. Public key for PowerVM Novalink can be downloaded from, http://public.dhe.ibm.com/systems/virtualization/Novalink/debian/novalink-gpg-pub.key
Check if the key is already present,
$ sudo apt-key list | /bin/grep -w "NovaLink"
If not present, then add the downloaded key to the keyring using the below command,
$ sudo apt-key add
Conclusion
If you have any questions about this topic, please comment below. Watch this space for more information about troubleshooting your environment. In the meantime, don’t forget to follow us on LinkedIn, Facebook, and Twitter.
#security