使用 GPG 对RPM包进行签名

Kyle__Shaw

已于 2023-01-18 17:46:33 修改

阅读量1.3k

点赞数 1

分类专栏： Linux应用 rpm 文章标签： rpm

于 2021-09-11 11:56:56 首次发布

本文链接：https://blog.csdn.net/kyle__shaw/article/details/120235735

版权

Linux应用同时被 2 个专栏收录

20 篇文章 0 订阅

订阅专栏

rpm

1 篇文章 0 订阅

订阅专栏

使用 GPG 对RPM包进行签名

RPM软件包签名可用于对RPM软件包实施加密完整性检查。

首先生成 gpg 的密钥对

$ sudo gpg --gen-key

gpg: WARNING: unsafe ownership on homedir '/home/kyle/.gnupg'
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: Test_GPG_Key
Email address: yourname@gc@gmail.com
You selected this USER-ID:
"Test_GPG_Key <yourname@gc@gmail.com>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key C5BE341EEC2C3F09 marked as ultimately trusted
gpg: directory '/home/kyle/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/kyle/.gnupg/openpgp-revocs.d/88BC92D47D5B82E9D9B6227FC5BE341EEC2C3F09.rev'
public and secret key created and signed.

pub   rsa3072 2020-11-09 [SC] [expires: 2022-11-09]
88BC92D47D5B82E9D9B6227FC5BE341EEC2C3F09
uid                      Test_GPG_Key <yourname@gc@gmail.com>
sub   rsa3072 2020-11-09 [E] [expires: 2022-11-09]

在生成的时候,会输入一个密码,这里输入了 Test123

确认是否已经成功的生成了key

$ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2022-11-09
/home/kyle/.gnupg/pubring.kbx
--------------------------------
pub   rsa4096 2018-05-17 [SC] [expires: 2021-05-16]
BA5138198CCBCA25C3E3818B245C90E9378AAE6A
uid           [ unknown] My Corp (Demo) <admin@gmail.com>
sub   rsa4096 2018-05-17 [E] [expires: 2021-05-16]

pub   rsa3072 2020-11-09 [SC] [expires: 2022-11-09]
88BC92D47D5B82E9D9B6227FC5BE341EEC2C3F09
uid           [ultimate] Test_GPG_Key <yourname@gc@gmail.com>
sub   rsa3072 2020-11-09 [E] [expires: 2022-11-09]

这里有两个key,一个是我手动导入的,另外一个是最新成生的.
这说明了新生成一个key,并不会对旧的key有影响.

导出钥匙对

导出公钥

gpg --export -a 'Test_GPG_Key' > ~/Test_GPG_Key.public

导出私钥

sudo gpg --export-secret-key -a Test_GPG_Key > ~/Test_GPG_Key.private

Test_GPG_Key: 上面创建的key的名字
参数-a : 以 ascii 格式导出(默认是二进制)

把公钥导入到 rpm 的数据库内

导入到数据库内

rpm --import ~/Test_GPG_Key.public

列出数据库内的 gpg 公钥

$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-378aae6a-5afd262f --> gpg(My Corp (Demo) <admin@gmail.com>)
gpg-pubkey-ec2c3f09-5fa8b906 --> gpg(Test_GPG_Key <yourname@gc@gmail.com>)

第二条记录就是刚刚导入的记录

生成配置文件

新建配置文件~/.rpmmacros, 写入以下内容

%_signature gpg
%_gpg_path /home/kyle/.gnupg
%_gpg_name Test_GPG_Key
%_gpgbin /usr/bin/gpg2
%_gpg_digest_algo sha1
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-file /home/kyle/Test_GPG_Key.private --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}'

对 RPM 包进行签名

$ sudo rpmsign --addsign /tmp/demo-common-1.0.dbg.x86_64.rpm
[sudo] password for kyle:
/tmp/demo-common-1.0.dbg.x86_64.rpm:
gpg: WARNING: unsafe ownership on homedir '/home/kyle/.gnupg'
gpg: writing to '/tmp/demo-common-1.0.dbg.x86_64.rpm.sig'
gpg: pinentry launched (27337 gnome3:curses 1.1.0 /dev/pts/4 xterm-256color -)
gpg: RSA/SHA256 signature from: "C5BE341EEC2C3F09 Test_GPG_Key <yourname@gc@gmail.com>"
gpg: WARNING: unsafe ownership on homedir '/home/kyle/.gnupg'
gpg: writing to '/tmp/demo-common-1.0.dbg.x86_64.rpm.sig'
gpg: RSA/SHA256 signature from: "C5BE341EEC2C3F09 Test_GPG_Key <yourname@gc@gmail.com>"

验证签名

先查看rpm里是否存在用于验证的签名的公钥：

$ rpm -qa gpg-pubkey
gpg-pubkey-378aae6a-60a20603

如果存在且是你需要的，就不需要导入了。如果不是，则可以使用一下命令先导入公钥：

rpm --import public.gpg

导入成功后，就可以进行验证了

$ rpm -Kv /tmp/demo-common-1.0.dbg.x86_64.rpm
/tmp/demo-common-1.0.dbg.x86_64.rpm:
Header V4 RSA/SHA256 Signature, key ID ec2c3f09: OK
Header SHA1 digest: OK
Header SHA256 digest: OK
Payload SHA256 digest: OK
V4 RSA/SHA256 Signature, key ID ec2c3f09: OK
MD5 digest: OK

这里有一个Key ID: ec2c3f09, 对应的就是数据库内公钥的version.

Kyle__Shaw

关注

1
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
使用 GPG 对RPM包进行签名

使用 GPG 对RPM包进行签名RPM软件包签名可用于对RPM软件包实施加密完整性检查。首先生成 gpg 的密钥对$ sudo gpg --gen-keygpg: WARNING: unsafe ownership on homedir '/home/kyle/.gnupg'gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.This is free software: you are free to chan
复制链接

扫一扫

专栏目录