Подпись RPM пакетов

Подписывание ключом своего rpm-пакета необходимо для проверки целостности пакета. Обычно, если данная проверка прошла успешно, то производится дальнейшая установка пакета.

Выполним генерацию пары ключей

[root@build ~]# mkdir ~/.gnupg
[root@build ~]# gpg --gen-key
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: CentOS-5 TOMTEL Key
Email address: vukor@tomtel.ru
Comment: TOMTEL repository for CentOS 5
You selected this USER-ID:
    "CentOS-5 TOMTEL Key (TOMTEL repository for CentOS 5) <vukor@tomtel.ru>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++.+++++.+++++++++++++++.++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.++++++++++++++++++++..++++++++++............>+++++.........................................................................................................>+++++.<+++++...............................................................+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.++++++++++++++++++++++++++++++..+++++..++++++++++++++++++++..+++++++++++++++++++++++++++++++++++++++++++++.++++++++++.++++++++++...++++++++++++++++++++>..++++++++++>.+++++.................................................................................................................................................................<+++++>+++++............................................+++++^^^
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key ADFAB542 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024D/ADFAB542 2011-11-24
      Key fingerprint = 6ADD 1455 A213 1C06 BB91  AD1F 9ED6 EF2C ADFA B542
uid                  CentOS-5 TOMTEL Key (TOMTEL repository for CentOS 5) <vukor@tomtel.ru>
sub   2048g/D3A5D065 2011-11-24

[root@build ~]# echo "%_signature gpg" > ~/.rpmmacros
[root@build ~]# echo "%_gpg_name CentOS-5 TOMTEL Key" >> ~/.rpmmacros

Подпишем пакет ключом

echo "%_signature gpg" > ~/.rpmmacros
echo "%_gpg_name CentOS-5 TOMTEL Key" >> ~/.rpmmacros
rpm --addsign mirror-centos-5-tomtel.noarch.rpm

Экспорт публичного ключа

Публичный ключ необходим для проверки целостности пакета.

gpg --export -a "'CentOS-5 TOMTEL Key'"

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)

mQGiBE7N73QRBAC8U4EjH7ixOY9lhfsgyPhrNgjRdIZyBrg+H5z1ZYS9F7DsBmrk
gx5+MBZef075tndjXh5Gks/6s6aK/IvkRdiLTb0CSuvDXyTRBv7Zx1HU2fKnS7l0
KWg/L/1jBr6MK4nVe8IPyJZjFW5/rZyIqh4rAgTmTPc7aIRFGsLNm3YmXwCg49aR
lFMSdmVz6cusgLtEXJmEX8kEAKJn6tIwvKzlinuASwbswvhFy8rE05SQTVRAlXJv
teCGLQ70uZqzAfy5MwkLaJ1kBmL6/C67/+wBGMvqQZcsMVuQqvLy9pLiZxG4QWIY
TrjCnJgoakF1ifS9C+bTIUgJLSbPVeZSEqb8pTtRTqW9i5A2GoIk5LlwtR2fblsh
HdSyBACS5hVa7nMhwz95yZPEf1YgocGOtIfzQ98RGF9DA/sFyAkMRj7Hbn0Ms3E2
PkqFMt4nVHpuPgjf9h+VwNLx0/YisgdFzGhO5Xwa1HcF9JNNytiebs1+o8I4C7Rn
5LO0wLqzZ0Y9hedjoH9fJbxTE5mhkOwTa1Nb763wFarZ1D3G3rRGQ2VudE9TLTUg
VE9NVEVMIEtleSAoVE9NVEVMIHJlcG9zaXRvcnkgZm9yIENlbnRPUyA1KSA8dnVr
b3JAdG9tdGVsLnJ1PohgBBMRAgAgBQJOze90AhsDBgsJCAcDAgQVAggDBBYCAwEC
HgECF4AACgkQntbvLK36tUInoACghLSKyjLK90nbwOEv7Pl6QTgI5d4An2DyJyNH
mvEIHqpPBZLlf9Epfer3uQINBE7N73sQCADWksk73OdILz4aqud/8jYLGc97bNh4
gyeMnpsufAHmlUHJeLzKBinV6RQogYkoJnqFgDcKWdBJ8mhDCxHMunTU9yP3XXyG
T1Cw5ctSeL5YRikC9X3JnYuTapuHLIFFQUbM7wxSJ6TCX9EEbDgqTrchE/upzCL9
t0NYMB08kyxu3IP7WQ8oxNzIfbC+uBtAzm2vFMt9sa6qgbjybhj4d59KTuaKo1iD
bmm9yzvEVpOoi5Su/l1ex8iUUx6sy2y7o2GCpnFDSI8aMTllT07A0d+wzBJ24TeK
3Hr9QQI4e0I7rXUcim/5f4MSbgFhODf5U5+FThpsqzvJc+Pn9r4ii9zfAAMFCADD
4ZLKQsbzN9daS7XBWpT+vj36yWYQMMiZ+5IZMLu548xsnkPnWPOatwiSho3v7csv
J/DwXAAnig/IEQKXTcSXkpE3+/JyM5ZKj18ZUQuZOmY3i+4yKq67+h5/WgpmxIeq
l0IFY30Mw7ji+yBL8J/UfZ8z7kXN536KZdY3rgNYFFEvmYCeTEeZFD1L5u4vlLrJ
NqXQ37UOl18r6Slg08pAorrceUeceDL+Z+VdRMWAiivHALetD8owyI1E8bNL4Dvr
ZATiTMrzY6PJNXdUZCXQRAmubbBkkiSkzARsA1E9vvojUgMv58bfuOkvLmhSJ1VA
K20bcXgVVlE4vHGRyMyDiEkEGBECAAkFAk7N73sCGwwACgkQntbvLK36tUJeBQCf
dLN6rrrNPWusMars3zrjd70HVk8An3fg7ELqFgmyu+F0ys3BvcOwyZUH
=HYSB
-----END PGP PUBLIC KEY BLOCK-----

Пример использования подписанного пакета см. в Настройка репозитариев

Ссылки

Комментарии

 
blog/2011/11/24-подпись_rpm_пакетов.txt · Последние изменения: 2011/11/24 14:38 — Антон Бугреев · []