使用 GPG 对RPM包进行签名
RPM软件包签名可用于对RPM软件包实施加密完整性检查。
首先生成 gpg 的密钥对
$ sudo gpg --gen-key
gpg: WARNING: unsafe ownership on homedir '/home/kyle/.gnupg'
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
Real name: Test_GPG_Key
Email address: xtk621@gmail.com
You selected this USER-ID:
"Test_GPG_Key <xtk621@gmail.com>"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key C5BE341EEC2C3F09 marked as ultimately trusted
gpg: directory '/home/kyle/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/kyle/.gnupg/openpgp-revocs.d/88BC92D47D5B82E9D9B6227FC5BE341EEC2C3F09.rev'
public and secret key created and signed.
pub rsa3072 2020-11-09 [SC] [expires: 2022-11-09]
88BC92D47D5B82E9D9B6227FC5BE341EEC2C3F09
uid Test_GPG_Key <xtk621@gmail.com>
sub rsa3072 2020-11-09 [E] [expires: 2022-11-09]
在生成的时候,会输入一个密码,这里输入了 Test123
确认是否已经成功的生成了key
$ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2022-11-09
/home/kyle/.gnupg/pubring.kbx
--------------------------------
pub rsa4096 2018-05-17 [SC] [expires: 2021-05-16]
BA5138198CCBCA25C3E3818B245C90E9378AAE6A
uid [ unknown] My Corp (Demo) <admin@gmail.com>
sub rsa4096 2018-05-17 [E] [expires: 2021-05-16]
pub rsa3072 2020-11-09 [SC] [expires: 2022-11-09]
88BC92D47D5B82E9D9B6227FC5BE341EEC2C3F09
uid [ultimate] Test_GPG_Key <xtk621@gmail.com>
sub rsa3072 2020-11-09 [E] [expires: 2022-11-09]
这里有两个key,一个是我手动导入的,另外一个是最新成生的.
这说明了新生成一个key,并不会对旧的key有影响.
导出钥匙对
导出公钥
gpg --export -a 'Test_GPG_Key' > ~/Test_GPG_Key.public
导出私钥
sudo gpg --export-secret-key -a Test_GPG_Key > ~/Test_GPG_Key.private
- Test_GPG_Key: 上面创建的key的名字
- 参数-a : 以 ascii 格式导出(默认是二进制)
把公钥导入到 rpm 的数据库内
导入到数据库内
rpm --import ~/Test_GPG_Key.public
列出数据库内的 gpg 公钥
$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-378aae6a-5afd262f --> gpg(My Corp (Demo) <admin@gmail.com>)
gpg-pubkey-ec2c3f09-5fa8b906 --> gpg(Test_GPG_Key <xtk621@gmail.com>)
第二条记录就是刚刚导入的记录
生成配置文件
新建配置文件~/.rpmmacros
, 写入以下内容
%_signature gpg
%_gpg_path /home/kyle/.gnupg
%_gpg_name Test_GPG_Key
%_gpgbin /usr/bin/gpg2
%_gpg_digest_algo sha1
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-file /home/kyle/Test_GPG_Key.private --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}'
对 RPM 包进行签名
$ sudo rpmsign --addsign /tmp/demo-common-8.0.26582-1.d4158c3.dbg.x86_64.rpm
[sudo] password for kyle:
/tmp/demo-common-8.0.26582-1.d4158c3.dbg.x86_64.rpm:
gpg: WARNING: unsafe ownership on homedir '/home/kyle/.gnupg'
gpg: writing to '/tmp/demo-common-8.0.26582-1.d4158c3.dbg.x86_64.rpm.sig'
gpg: pinentry launched (27337 gnome3:curses 1.1.0 /dev/pts/4 xterm-256color -)
gpg: RSA/SHA256 signature from: "C5BE341EEC2C3F09 Test_GPG_Key <xtk621@gmail.com>"
gpg: WARNING: unsafe ownership on homedir '/home/kyle/.gnupg'
gpg: writing to '/tmp/demo-common-8.0.26582-1.d4158c3.dbg.x86_64.rpm.sig'
gpg: RSA/SHA256 signature from: "C5BE341EEC2C3F09 Test_GPG_Key <xtk621@gmail.com>"
验证签名
$ rpm -Kv /tmp/demo-common-8.0.26582-1.d4158c3.dbg.x86_64.rpm
/tmp/demo-common-8.0.26582-1.d4158c3.dbg.x86_64.rpm:
Header V4 RSA/SHA256 Signature, key ID ec2c3f09: OK
Header SHA1 digest: OK
Header SHA256 digest: OK
Payload SHA256 digest: OK
V4 RSA/SHA256 Signature, key ID ec2c3f09: OK
MD5 digest: OK
这里有一个Key ID: ec2c3f09, 就是数据库内公钥的version.
如果能对得上,就证明已经签名成功了