Support IMA file singing for built packages

[dralley]

We already support getting the IMA signatures from existing packages, but we don't support adding IMA signatures to new packages being built.

[baloo]

I'd like to take a swing at this one.

[dralley]

Go for it!

[dralley]

@baloo However, try not to conflict too much with #264. If you can wait a couple of days until it's merged, or base your work on top of it, that would be great

[dralley]

FYI: ad28238#diff-f5546fde253e2523107af577c9f980105960b2cde646bc2a12fce9db432c9d95R43

[baloo]

Like I’ve done in #244 I’d like to make it so that the private key signing the ima attributes can be held on an HSM. I think it’s should be fairly easier to do than with pgp, and that just accepting a signer that implements a signature::DigestSigner should do (probably also going to require signature::KeyPair to autocompute the key id (which from my current understanding is the 4 last bytes of the spki digest). That should be transparent to whether the key is directly held in software or behind an HSM or a smart card (yubikey,…).

I’m considering making imaevm crate just to separate the signing logic and not embedded it here. (IMA has a couple revisions of its signature scheme and I’m not sure it makes sense to embed that logic here).

Anyway, this is my current train of thoughts.