如何给rpm包签名
我们自己制作的rpm包,为了防止被篡改,一般要使用私钥进行签名,然后将公钥公布出去,下载使用软件包的话,可以通过公钥进行验证签名,从而确保文件的原始性。
1.如何给 libmhash-0.9.1-1.src.rpm签名
#cp libmhash-0.9.1-1.src.rpm /usr/src
# cd /usr/src
#rpm -ivh libmhash-0.9.1-1.src.rpm
#cd ~/rpmbuild/SPECS
#rpmbuild -ba libmhash-0.9.1-1.spec
# cd RPMS/X86_64
#cp libmhash....X86_64.rpm /var/www/html
#cd /var/www/html
#gpg --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: keyring `/root/.gnupg/secring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1 #选择默认
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) #直接回车
Requested keysize is 2048 bits
Please specify how long the key should be valid.
<0> = key does not expire
d = key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) #0代表永不过期
Key does not expire at all
Is this correct? (y/N) y #确认
GnuPG needs to construct a user ID to identify your key.
Real name: stu180 #姓名
Email address: stu180@163.com #邮箱
Comment: custom #注释
You selected this USER-ID:
"stu180(custom) "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O #大些字母O,确认
# gpg --list-key #查看公钥和私钥
#echo "%_gpg_name 5CD51EB9(公钥)" >> ~/.rpmmacros #修改rpm宏,使用我们的密钥对
#rpm --resign libmhash....X86_64.rpm #使用私钥进行签名。
#createrepo . 创建yum源。
# gpg --export -a --export 5CD51EB9 -o ~/RPM-GPG-KEY-stu180 导出公钥
#scp ~/RPM-GPG-KEY-stu180 192.168.0.147:/tmp
在stu147
#rpm --import /tmp/RPM-GPG-KEY-stu180
配置yum源
# cat /etc/yum.repos.d/server.repo 添加修改如下
[redhatlinux]
name=redhat
baseurl=http://192.168.0.180/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-stu180
yum clean all
yum makecache
yum -y install libmhash*
可以正常的安装。
2. 对文件进行加密和解密
#echo "linux redhat">stu120.txt
#gpg --import /tmp/RPM-GPG-KEY-stu180 导入180上的公钥
#gpg --encrypt -a -r CD51EB9 stu120.txt
#scp stu120.txt.asc stu180:/tmp
在180上解密
#gpg --decrypt /tmp/stu120.txt.asc