给制作的rpm包签名

By | 2022年1月20日

我们自己制作的rpm包,为了防止被篡改,一般要使用私钥进行签名,然后将公钥广而告之,下载使用软件包的话,可以通过公钥进行验证签名,从而确保文件的原始性。

1、查询工具包是否安装
# whereis gpg
gpg: /usr/bin/gpg /usr/share/man/man1/gpg.1.gz
# rpm -qf /usr/bin/gpg
gnupg2-2.0.14-4.el6.x86_64
得出已经安装,由gnupg管理

2、自己知道了一个rpm包:qemu-img;还没签名,我们现在安装试试会出现什么

# yum –disablerepo=\* –enablerepo=c6-media install qemu-img
Loaded plugins: fastestmirror, refresh-packagekit
Loading mirror speeds from cached hostfile
* c6-media:
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package qemu-img.x86_64 2:0.12.1.2-2.113.el6 set to be updated
–> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package        Arch         Version                       Repository      Size
================================================================================
Installing:
qemu-img       x86_64       2:0.12.1.2-2.113.el6          c6-media       343 k

Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 343 k
Installed size: 597 k
Is this ok [y/N]: y
Downloading Packages:

Package qemu-img-0.12.1.2-2.113.el6.x86_64.rpm is not signed
对,就是报此rpm包没有签名;解决方法有,修改/etc/yum.repos.d/CentOS-Media.repo中gpgcheck=0不验证包,但这不是我们要的结果

3、查询系统是否包含gpg key
# gpg –list-key
没有任何输出

4、正式开始签名
# gpg –gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keyring `/root/.gnupg/secring.gpg’ created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 4                                       #RSA比较流行
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)                        #直接回车
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n>  = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)                                    #0代表永不过期
Key does not expire at all
Is this correct? (y/N) y                                 #确认

GnuPG needs to construct a user ID to identify your key.

Real name: ecdata                                        #姓名
Email address: qiujichun@gmail.com                       #邮箱
Comment: custom                                          #注释
You selected this USER-ID:
“ecdata (custom) <qiujichun@gmail.com>”

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O    #大些字母O,确认

lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Enter passphrase                                    x
x                                                     x
x                                                     x
x Passphrase ***********_____________________________ x输入密码
x                                                     x
x       <OK>                             <Cancel>     x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Please re-enter this passphrase                     x
x                                                     x
x Passphrase ***********_____________________________ x再次输入
x                                                     x
x       <OK>                             <Cancel>     x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

can’t connect to `/root/.gnupg/S.gpg-agent’: No such file or directory
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

此时应该多移动鼠标、敲键盘,生成足够多的随机数,或直接另一终端执行du /等命令
gpg: key 8CD0BA9F marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/8CD0BA9F 2011-12-21
Key fingerprint = 6245 8B36 E982 2920 1A54  BA1C 10DE 1087 8CD0 BA9F
uid                  ecdata (custom) <qiujichun@gmail.com>

Note that this key cannot be used for encryption.  You may want to use
the command “–edit-key” to generate a subkey for this purpose.
可以了,此时可能需要添加个“subkey”

# gpg –edit-key ecdata    此为刚key的name
Command> help   查询到用addkey命令
addkey      add a subkey
Command> addkey
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Please enter the passphrase to unlock the secret key for the OpenPGP certificate:  x
x “ecdata (custom) <qiujichun@gmail.com>”                                            x
x 2048-bit RSA key, ID 8CD0BA9F,                                                     x
x created 2011-12-21.                                                                x
x                                                                                    x
x                                                                                    x
x Passphrase ***********____________________________________________________________ x
x                                                                                    x
x            <OK>                                                  <Cancel>          x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj此为以后解刚secret key所用

Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n>  = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

———————疯狂移动鼠标吧(如果嫌烦,直接循环代劳 # for (( a=1;a<=1000;a++ ));do du /;done )
pub  2048R/8CD0BA9F  created: 2011-12-21  expires: never       usage: SC
trust: ultimate      validity: ultimate
sub  2048R/1E6D98D0  created: 2011-12-21  expires: never       usage: E
[ultimate] (1). ecdata (custom) <qiujichun@gmail.com>
Command> save

可以了

5、查看下成果
# gpg –list-key
/root/.gnupg/pubring.gpg
————————
pub   2048R/8CD0BA9F 2011-12-21
uid                  ecdata (custom) <qiujichun@gmail.com>
sub   2048R/1E6D98D0 2011-12-21

6、修改rpm宏,使用我们的密钥对:

引用
# echo %_signature gpg >> ~/.rpmmacros
# echo “%_gpg_name ecdata (custom)” >> ~/.rpmmacros

7、对已有rpm软件包进行签名:
# rpm –addsign /media/CentOS/Packages/qemu-img-0.12.1.2-2.113.el6.x86_64.rpm
Enter pass phrase:                输入刚制作密钥对的密码
Pass phrase is good.
/media/CentOS/Packages/qemu-img-0.12.1.2-2.113.el6.x86_64.rpm:

+++++++++在rpmbuild打包时签名:

引用
# rpmbuild –sign –ta hello-0.1-1.tar.gz

+++++++++

8、我们先将gpg产生的公钥导出到一个文件,然后将这个公钥文件导入到RPM数据库里,然后使用rpm命令进行检验。
如果不先导入到rpm数据库,验证结果是这样的
# rpm -K /media/CentOS/Packages/qemu-img-0.12.1.2-2.113.el6.x86_64.rpm
/media/CentOS/Packages/qemu-img-0.12.1.2-2.113.el6.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#8cd0ba9f)

导出公钥到一个文本文档:

引用
# gpg –export -a “ecdata (custom)” > RPM-GPG-KEY-ECDATA

查看rpm数据库中已有的公钥:

引用
# rpm -q gpg-pubkey-*
package gpg-pubkey-* is not installed
# rpm –import RPM-GPG-KEY-ECDATA
# rpm -q gpg-pubkey-*
gpg-pubkey-8cd0ba9f-4ef12761    这是上步导入的

现在再来验证下RPM包
# rpm -K /media/CentOS/Packages/qemu-img-0.12.1.2-2.113.el6.x86_64.rpm
/media/CentOS/Packages/qemu-img-0.12.1.2-2.113.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

9、安装
# rpm -ivh Packages/qemu-img-0.12.1.2-2.113.el6.x86_64.rpm
Preparing…                ########################################### [100%]
1:qemu-img               ########################################### [100%]
没有报类似警告
warning: qemu-img-0.12.1.2-2.113.el6.x86_64.rpm: Header V3 RSA/SHA1 signature: NOKEY, key ID c0eb63c7

但是此时yum安装还不行,继续(注意顺序)
# cp RPM-GPG-KEY-ECDATA /etc/pki/rpm-gpg/

# createrepo -g repodata/comps.xml .

# cat /etc/yum.repos.d/CentOS-Media.repo  添加修改如下
……………………….
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ECDATA

# yum clean all

# yum –disablerepo=\* –enablerepo=c6-media install qemu-img
Loaded plugins: fastestmirror, refresh-packagekit
Determining fastest mirrors
* c6-media:
c6-media                                                                                                       | 1.9 kB     00:00 …
c6-media/primary                                                                                               | 1.7 MB     00:00 …
c6-media                                                                                                                    3696/3696
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package qemu-img.x86_64 2:0.12.1.2-2.113.el6 set to be updated
–> Finished Dependency Resolution

Dependencies Resolved

======================================================================================================================================
Package                      Arch                       Version                                   Repository                    Size
======================================================================================================================================
Installing:
qemu-img                     x86_64                     2:0.12.1.2-2.113.el6                      c6-media                     344 k

Transaction Summary
===========================================================================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 344 k
Installed size: 597 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing     : 2:qemu-img-0.12.1.2-2.113.el6.x86_64                                                                           1/1

Installed:
qemu-img.x86_64 2:0.12.1.2-2.113.el6

Complete!
。。。。。。。。完成

10、对其他自定义的rpm继续签名
# rpm –resign Packages/qemu-kvm-0.12.1.2-2.113.el6.x86_64.rpm
再次(必须)
# createrepo -g repodata/comps.xml .
———————————–
©著作权归作者所有:来自51CTO博客作者qiujichun的原创作品,请联系作者获取转载授权,否则将追究法律责任
给制作的rpm包签名
https://blog.51cto.com/tonychiu/1007588

Category: os

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注