I'm trying to harden a Linux system by using IMA and want to apply digital signatures to binaries. I'm wondering if there is a package manager supporting the IMA signatures so that the binaries can be updated. Is there an alternative approach to update the system in a secure way?
Could I just trust the incoming package signed by an maintainer and use the mount file system iversion support so that the hashes are automatically updated? But I'm afraid that then also an attacker could update files when one has access to the system.