We are using SRM builds (without enabling any security feature/McAfee solidification features). One of the scripts (shell/python) to be modified and test the functionality but if we modify, these scripts are not getting executed. Only if we rebuild the image and install, then only working.
it is the IMA (Integrity Measurement Architecture) that prevents the execution of the modified and therefore not correctly signed scripts.
Normally the binaries (executables, scripts) get IMA signed during the host build. If you change the binary content or its metadata (e.g. location of the binary) on the target, you can also sign it on the target.
You can sign the binary on the target with the evmctl command for example:
evmctl ima_sign <binary> <path-to>/vendor-private.pem
You also need to copy the vendor-private.pem private key to the target to do the signing. You can find this key on the host under the layers/wr-idp/wr-srm/files/keys directory.
This is for the development only, otherwise you should keep your private keys private.
Last Validated Info:
IDP Version: 3.1