With Fedora 36 working its way towards release later this month, more developer attention and planning is turning to Fedora 37 that will be released this autumn. One of the changes being talked about this week is for signing RPM contents for a means of trusting the files that are executed.
The Fedora 37 change proposal is for adding IMA-based signatures to the individual files that are part of shipped RPM packages. This will allow for enforcing run-time policies by system administrators to ensure the execution of only trusted files or similar policies.
This is a good idea, and it’s important to underline that this is entirely optional – nothing will change for regular end users who are not interested in such policies. This won’t limit your ability to install whatever rpm you want, nor does it lock down anything any further than it is today – it just gives administrators more options.