Signing RPM packages
Signing
a RPM packages use GPG program to add security features to the original RPM
package, which to consolidate the integrity of the RPM package. GPG stands for GNU Privacy Guard, which is the
free software that under the GNU General Public License, and it is alternative
to Pretty Good Privacy (PGP) suite cryptographic software. This is the GPG main website http://www.gnupg.org. The latest version of GPG is
2.0.19, which releases from March-27-2012. GPG provides multiple OS operation.
Gpg4win is the Window version of GnuPG that offers a friendly graphic interface
for users, and GPGTools provides a Mac OS X version
of GnuPG. However, under Linux system,
we should use command line interface to sign the signature for the package.
1)
create
the GPG key pair
a.
gpg
--genkey
·
In
this interaction interface, we just need to answer the questions from the
command prompt to set the key type, key length, and the key expires times.
[root@localhost
x86_64]# gpg --gen-key
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free
Software Foundation, Inc.
There is NO WARRANTY, to the extent permitted by
law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA
(sign only)
(4) RSA
(sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0
= key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) n
Key is valid for? (0) 1m
Key expires at Fri 23 Nov 2012 05:44:55 PM EST
Is this correct? (y/N) y
You need a user ID to identify your key; the
software constructs the user ID
from the Real Name, Comment and Email Address in
this form:
"Heinrich Heine (Der Dichter)
<heinrichh@duesseldorf.de>"
Real name: maximum ou
Email address: maximumou@fedoraproject.org
Comment:
You selected this USER-ID:
"maximum ou <maximumou@fedoraproject.org>"
Change (N)ame, (C)omment, (E)mail or
(O)kay/(Q)uit? O
You need a Passphrase to protect your secret
key.
passphrase not correctly repeated; try again.
We need to generate a lot of random bytes. It is
a good idea to perform
some other action (type on the keyboard, move
the mouse, utilize the
disks) during the prime generation; this gives
the random number
generator a better chance to gain enough
entropy.
+++++
.+++++
We need to generate a lot of random bytes. It is
a good idea to perform
some other action (type on the keyboard, move
the mouse, utilize the
disks) during the prime generation; this gives
the random number
generator a better chance to gain enough
entropy.
.+++++
+++++
gpg: key A4D845 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed,
PGP trust model
gpg: depth: 0
valid: 2 signed:
0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2012-11-07
pub
1024/A0D835 2012-10-24 [expires: 2012-11-23]
Key
fingerprint = FC88 33E1 64E6 BCED 777A
2EE0 CD16 0961 A604 D845
uid maximum ou
<maximumou@fedoraproject.org>
sub
1024R/30AD7 2012-10-24 [expires: 2012-11-23]
2)
to
verify the key use the command
a.
gpg
--list-keys
·
The
key ring list in the /root/.gnupg/pubring.gpg by default
3)
add
user info in ~/.rpmmacros
a.
vi
~/.rpmmacros
%_signature gpg
%_gpg_name “yourname or
youremailaddress”
4)
after
save the rpmmacros file, then we are ready to sign the rpm package now
a.
rpm
--addsign combine-0.3.4-1.fc17.x86_64.rpm
·
--addsign
is a key word
·
combine-0.3.4-1.fc17.x86_64.rpm
is package that we need to sign
·
After
verify our password that we just generate earlier, then the signing process is
completed.
5)
There are a few gpg keyword is necessary to
know
a.
gpg --export -a ‘yourname’ > RPMKEY
·
To
export the public key to a text file
b.
sudo
rpm --import RPMKEY
·
To
import the rpm key back to RPM database
c.
verify
the signature
·
rpm
--checksig combine-0.3.4-1.fc17.x86_64.rpm
a.
This
tricky problem takes me so much times to Google it. In fact, it just misses a
package called “rpm-sign”, and just installs this package. This problem will go
away.
·
yum
install rpm-sign
Creating a YUM repository
Create
software repository is to share your repository packages to the general
community. Before the process start, we need our signed RPM package ready
first.
1)
use
yum to install the createrepo package if we don’t have the package installed
yet
a.
yum
install createrepo
2)
if
we decide to put our repositories on the LAN, then we can put it under apache server
(fedora 17 in my server)
a.
yum
install httpd
b.
systemctl
start httpd.service
3)
Create
the repository metadata for that directory
a.
cd
/var/www/html/
b.
createrepo
.
4)
create
a new repository file called maximum.repo
a.
vi
maximum.repo
[maximumrepo]
name=maximumrepo
repository
baseurl=http://192.168.1.120/var/www/html/repodata/
enabled=1
gpgcheck=1
- [maximumrepo] (
Repository name )
- name=maximumrepo repository ( A readable string describing
the repository name )
- baseurl= http://192.168.1.120 ( The URL point
to the yum repository’s directory )
- enabled=1 (
Enabled or disabled repo. enabled to 0 )
·
metadata_expire=7d ( 7days to expire )
- gpgcheck=1 (
use GPG key sets 1 to enable the security feature )
- gpgkey= file:///etc/pki/rpm-gpg/RPM-GPG-KEY-maximum
( the GPG public key file
location )
5)
export
the GPG public key from my rpm database
a.
gpg
--export -a ‘maximumou’ > /etc/pki/rpm-gpg/RPM-GPG-KEY-maximum
6) The signed RPM package and ASCII public key file can be download from this link:
http://matrix.senecac.on.ca/~zcou/
No comments:
Post a Comment