使用 GPG 对RPM包进行签名
RPM软件包签名可用于对RPM软件包实施加密完整性检查。
首先生成 gpg 的密钥对
在生成的时候,会输入一个密码,这里输入了 Test123
确认是否已经成功的生成了key
这里有两个key,一个是我手动导入的,另外一个是最新成生的.
这说明了新生成一个key,并不会对旧的key有影响.
导出钥匙对
导出公钥
gpg --export -a 'Test_GPG_Key' > ~/Test_GPG_Key.public
导出私钥
sudo gpg --export-secret-key -a Test_GPG_Key > ~/Test_GPG_Key.private
- Test_GPG_Key: 上面创建的key的名字
- 参数-a : 以 ascii 格式导出(默认是二进制)
把公钥导入到 rpm 的数据库内
导入到数据库内
rpm --import ~/Test_GPG_Key.public
列出数据库内的 gpg 公钥
$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-378aae6a-5afd262f --> gpg(My Corp (Demo) <admin@gmail.com>)
gpg-pubkey-ec2c3f09-5fa8b906 --> gpg(Test_GPG_Key <xtk621@gmail.com>)
第二条记录就是刚刚导入的记录
生成配置文件
新建配置文件~/.rpmmacros
, 写入以下内容
%_signature gpg
%_gpg_path /home/kyle/.gnupg
%_gpg_name Test_GPG_Key
%_gpgbin /usr/bin/gpg2
%_gpg_digest_algo sha1
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-file /home/kyle/Test_GPG_Key.private --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}'
对 RPM 包进行签名
$ sudo rpmsign --addsign /tmp/demo-common-8.0.26582-1.d4158c3.dbg.x86_64.rpm
[sudo] password for kyle:
/tmp/demo-common-8.0.26582-1.d4158c3.dbg.x86_64.rpm:
gpg: WARNING: unsafe ownership on homedir '/home/kyle/.gnupg'
gpg: writing to '/tmp/demo-common-8.0.26582-1.d4158c3.dbg.x86_64.rpm.sig'
gpg: pinentry launched (27337 gnome3:curses 1.1.0 /dev/pts/4 xterm-256color -)
gpg: RSA/SHA256 signature from: "C5BE341EEC2C3F09 Test_GPG_Key <xtk621@gmail.com>"
gpg: WARNING: unsafe ownership on homedir '/home/kyle/.gnupg'
gpg: writing to '/tmp/demo-common-8.0.26582-1.d4158c3.dbg.x86_64.rpm.sig'
gpg: RSA/SHA256 signature from: "C5BE341EEC2C3F09 Test_GPG_Key <xtk621@gmail.com>"
验证签名
$ rpm -Kv /tmp/demo-common-8.0.26582-1.d4158c3.dbg.x86_64.rpm
/tmp/demo-common-8.0.26582-1.d4158c3.dbg.x86_64.rpm:
Header V4 RSA/SHA256 Signature, key ID ec2c3f09: OK
Header SHA1 digest: OK
Header SHA256 digest: OK
Payload SHA256 digest: OK
V4 RSA/SHA256 Signature, key ID ec2c3f09: OK
MD5 digest: OK
里有一个Key ID: ec2c3f09, 就是数据库内公钥的version.
如果能对得上,就证明已经签名成功了