« RPM/Sign » : différence entre les versions
Aller à la navigation
Aller à la recherche
Aucun résumé des modifications |
Aucun résumé des modifications |
||
| (5 versions intermédiaires par le même utilisateur non affichées) | |||
| Ligne 10 : | Ligne 10 : | ||
First create a hidden directory called '.gnupg' in your home directory | First create a hidden directory called '.gnupg' in your home directory | ||
cd ~ | cd ~ | ||
mkdir .gnupg | mkdir .gnupg | ||
Otherwise, you might get following error message: | Otherwise, you might get following error message: | ||
gpg: failed to create temporary file `/home/tchung/.gnupg/.#lk0x7b49a8.tchung-fc3.5462': No such file or directory | gpg: failed to create temporary file `/home/tchung/.gnupg/.#lk0x7b49a8.tchung-fc3.5462': No such file or directory | ||
gpg: keyblock resource `/home/tchung/.gnupg/secring.gpg': general error | gpg: keyblock resource `/home/tchung/.gnupg/secring.gpg': general error | ||
gpg: failed to create temporary file `/home/tchung/.gnupg/.#lk0x7b4cb0.tchung-fc3.5462': No such file or directory | gpg: failed to create temporary file `/home/tchung/.gnupg/.#lk0x7b4cb0.tchung-fc3.5462': No such file or directory | ||
gpg: keyblock resource `/home/tchung/.gnupg/pubring.gpg': general error | gpg: keyblock resource `/home/tchung/.gnupg/pubring.gpg': general error | ||
== Generate gpg key pair (public key and private key)== | == Generate gpg key pair (public key and private key)== | ||
gpg --gen-key | |||
gpg (GnuPG) 1.2.6; Copyright (C) 2004 Free Software Foundation, Inc. | gpg (GnuPG) 1.2.6; Copyright (C) 2004 Free Software Foundation, Inc. | ||
This program comes with ABSOLUTELY NO WARRANTY. | This program comes with ABSOLUTELY NO WARRANTY. | ||
This is free software, and you are welcome to redistribute it | This is free software, and you are welcome to redistribute it | ||
under certain conditions. See the file COPYING for details. | under certain conditions. See the file COPYING for details. | ||
gpg: keyring `/home/tchung/.gnupg/secring.gpg' created | gpg: keyring `/home/tchung/.gnupg/secring.gpg' created | ||
gpg: keyring `/home/tchung/.gnupg/pubring.gpg' created | gpg: keyring `/home/tchung/.gnupg/pubring.gpg' created | ||
Please select what kind of key you want: | Please select what kind of key you want: | ||
(1) DSA and ElGamal (default) | |||
(2) DSA (sign only) | |||
(4) RSA (sign only) | |||
Your selection? 1 | Your selection? 1 | ||
DSA keypair will have 1024 bits. | DSA keypair will have 1024 bits. | ||
About to generate a new ELG-E keypair. | About to generate a new ELG-E keypair. | ||
minimum keysize is 768 bits | |||
default keysize is 1024 bits | |||
highest suggested keysize is 2048 bits | |||
What keysize do you want? (1024) 1024 | What keysize do you want? (1024) 1024 | ||
Requested keysize is 1024 bits | Requested keysize is 1024 bits | ||
Please specify how long the key should be valid. | Please specify how long the key should be valid. | ||
0 = key does not expire | |||
= key expires in n days | |||
w = key expires in n weeks | |||
m = key expires in n months | |||
y = key expires in n years | |||
Key is valid for? (0) 0 | Key is valid for? (0) 0 | ||
Key does not expire at all | Key does not expire at all | ||
Is this correct (y/n)? y | Is this correct (y/n)? y | ||
You need a User-ID to identify your key; the software constructs the user id | You need a User-ID to identify your key; the software constructs the user id | ||
from Real Name, Comment and Email Address in this form: | from Real Name, Comment and Email Address in this form: | ||
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" | |||
Real name: Thomas Chung | Real name: Thomas Chung | ||
Email address: tchung@fedoranews.org | Email address: tchung@fedoranews.org | ||
Comment: | Comment: | ||
You selected this USER-ID: | You selected this USER-ID: | ||
"Thomas Chung <tchung@fedoranews.org>" | |||
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O | Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O | ||
You need a Passphrase to protect your secret key. | You need a Passphrase to protect your secret key. | ||
We need to generate a lot of random bytes. It is a good idea to perform | We need to generate a lot of random bytes. It is a good idea to perform | ||
some other action (type on the keyboard, move the mouse, utilize the | some other action (type on the keyboard, move the mouse, utilize the | ||
disks) during the prime generation; this gives the random number | disks) during the prime generation; this gives the random number | ||
generator a better chance to gain enough entropy. | generator a better chance to gain enough entropy. | ||
+++++++++++++.++++++++++++++++++++++++++++++++++++++++++++++++++..+++++ | +++++++++++++.++++++++++++++++++++++++++++++++++++++++++++++++++..+++++ | ||
We need to generate a lot of random bytes. It is a good idea to perform | We need to generate a lot of random bytes. It is a good idea to perform | ||
some other action (type on the keyboard, move the mouse, utilize the | some other action (type on the keyboard, move the mouse, utilize the | ||
disks) during the prime generation; this gives the random number | disks) during the prime generation; this gives the random number | ||
generator a better chance to gain enough entropy. | generator a better chance to gain enough entropy. | ||
++++++++++++++++..++++++++++++++++++++.+++++++++++++++>+++++...+++++^^^ | ++++++++++++++++..++++++++++++++++++++.+++++++++++++++>+++++...+++++^^^ | ||
gpg: /home/tchung/.gnupg/trustdb.gpg: trustdb created | gpg: /home/tchung/.gnupg/trustdb.gpg: trustdb created | ||
public and secret key created and signed. | public and secret key created and signed. | ||
key marked as ultimately trusted. | key marked as ultimately trusted. | ||
pub 1024D/23A254D4 2005-01-06 Thomas Chung <tchung@fedoranews.org> | pub 1024D/23A254D4 2005-01-06 Thomas Chung <tchung@fedoranews.org> | ||
Key fingerprint = 9D71 B237 3AE2 B54A B62D 5DC7 2758 9842 23A2 54D4 | Key fingerprint = 9D71 B237 3AE2 B54A B62D 5DC7 2758 9842 23A2 54D4 | ||
sub 1024g/D08816E2 2005-01-06 | sub 1024g/D08816E2 2005-01-06 | ||
== Now that you've generated gpg keys, you can see the list in your key ring by typing:== | == Now that you've generated gpg keys, you can see the list in your key ring by typing:== | ||
gpg --list-keys | |||
/home/tchung/.gnupg/pubring.gpg | /home/tchung/.gnupg/pubring.gpg | ||
------------------------------- | ------------------------------- | ||
pub 1024D/23A254D4 2005-01-06 Thomas Chung <tchung@fedoranews.org> | pub 1024D/23A254D4 2005-01-06 Thomas Chung <tchung@fedoranews.org> | ||
sub 1024g/D08816E2 2005-01-06 | sub 1024g/D08816E2 2005-01-06 | ||
{{Admon/warning|If you get 'gpg: WARNING: using insecure memory!' message|try 'setuid(root) permission on the gpg binary: <pre>$ sudo chmod 4755 /usr/bin/gpg</pre>}} | |||
If you get 'gpg: WARNING: using insecure memory!' message | |||
try 'setuid(root) permission on the gpg binary: | |||
$ sudo chmod 4755 /usr/bin/gpg | |||
== To extract or export your public key from your key ring to a text file.== | == To extract or export your public key from your key ring to a text file.== | ||
gpg --export -a 'Thomas Chung' > RPM-GPG-KEY-tchung | |||
This file is necessary to import it to your RPM DB and verify a package with gpg key later on. | This file is necessary to import it to your RPM DB and verify a package with gpg key later on. | ||
| Ligne 110 : | Ligne 103 : | ||
== To import your public key to your RPM DB== | == To import your public key to your RPM DB== | ||
sudo rpm --import RPM-GPG-KEY-tchung | |||
Password: | Password: | ||
== Let's verify the list of gpg public keys in RPM DB:== | == Let's verify the list of gpg public keys in RPM DB:== | ||
rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' | |||
gpg-pubkey-db42a60e-37ea5438 --> gpg(Red Hat, Inc <security@redhat.com>) | gpg-pubkey-db42a60e-37ea5438 --> gpg(Red Hat, Inc <security@redhat.com>) | ||
gpg-pubkey-4f2a6fd2-3f9d9d3b --> gpg(Fedora Project <fedora@redhat.com>) | gpg-pubkey-4f2a6fd2-3f9d9d3b --> gpg(Fedora Project <fedora@redhat.com>) | ||
gpg-pubkey-23a254d4-41ddbc46 --> gpg(Thomas Chung <tchung@fedoranews.org>) | gpg-pubkey-23a254d4-41ddbc46 --> gpg(Thomas Chung <tchung@fedoranews.org>) | ||
== Final step before the signing, configure your ~/.rpmmacros file to include the following:== | == Final step before the signing, configure your ~/.rpmmacros file to include the following:== | ||
%_signature gpg | %_signature gpg | ||
%_gpg_name Thomas Chung | %_gpg_name Thomas Chung | ||
{{Admon/important|gpg_name|'''%_gpg_name''' must be the name of the "user" whose key you wish to use to sign your packages.}} | |||
%_gpg_name | |||
== Now, you're ready to sign your custom RPM package== | == Now, you're ready to sign your custom RPM package== | ||
rpm --addsign gyum-2.0-5.FC3.i386.rpm | |||
Enter pass phrase: | Enter pass phrase: | ||
Pass phrase is good. | Pass phrase is good. | ||
gyum-2.0-5.FC3.i386.rpm: | gyum-2.0-5.FC3.i386.rpm: | ||
{{Admon/note|I've used '--addsign' since this package was not signed before. | {{Admon/note|I've used '--addsign' since this package was not signed before. | ||
| Ligne 147 : | Ligne 134 : | ||
rpm --checksig gyum-2.0-5.FC3.i386.rpm | rpm --checksig gyum-2.0-5.FC3.i386.rpm | ||
gyum-2.0-5.FC3.i386.rpm: (sha1) dsa sha1 md5 gpg OK | gyum-2.0-5.FC3.i386.rpm: (sha1) dsa sha1 md5 gpg OK | ||
{{Admon/tip|To sign a package during it's been built, simply add '--sign': | {{Admon/tip|To sign a package during it's been built, simply add '--sign': | ||
| Ligne 160 : | Ligne 145 : | ||
<references/> | <references/> | ||
{{author|Thomas Chung on 2005-01-06}} | {{author|Thomas Chung on 2005-01-06}} | ||
[[Catégorie:RPM|Sign]] | |||
[[Catégorie:GnuPG|RPM Sign]] | |||
Dernière version du 25 août 2012 à 14:35
How to sign your custom RPM package with GPG Key
Introduction
GnuPG stands for GNU Privacy Guard and is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 2440. As such, it is aimed to be compatible with PGP from NAI, Inc.
After building your custom RPM package, it's a good idea to sign the package with your own GPG Key to make sure the package is authentic.
In this HOWTO, I'll cover how to generate your own gpg key pair and sign your custom RPM package with that key.
First create a hidden directory called '.gnupg' in your home directory
cd ~ mkdir .gnupg
Otherwise, you might get following error message:
gpg: failed to create temporary file `/home/tchung/.gnupg/.#lk0x7b49a8.tchung-fc3.5462': No such file or directory gpg: keyblock resource `/home/tchung/.gnupg/secring.gpg': general error gpg: failed to create temporary file `/home/tchung/.gnupg/.#lk0x7b4cb0.tchung-fc3.5462': No such file or directory gpg: keyblock resource `/home/tchung/.gnupg/pubring.gpg': general error
Generate gpg key pair (public key and private key)
gpg --gen-key
gpg (GnuPG) 1.2.6; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: keyring `/home/tchung/.gnupg/secring.gpg' created
gpg: keyring `/home/tchung/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct (y/n)? y
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Thomas Chung
Email address: tchung@fedoranews.org
Comment:
You selected this USER-ID:
"Thomas Chung <tchung@fedoranews.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++.++++++++++++++++++++++++++++++++++++++++++++++++++..+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++++++++..++++++++++++++++++++.+++++++++++++++>+++++...+++++^^^
gpg: /home/tchung/.gnupg/trustdb.gpg: trustdb created
public and secret key created and signed.
key marked as ultimately trusted.
pub 1024D/23A254D4 2005-01-06 Thomas Chung <tchung@fedoranews.org>
Key fingerprint = 9D71 B237 3AE2 B54A B62D 5DC7 2758 9842 23A2 54D4
sub 1024g/D08816E2 2005-01-06
Now that you've generated gpg keys, you can see the list in your key ring by typing:
gpg --list-keys /home/tchung/.gnupg/pubring.gpg ------------------------------- pub 1024D/23A254D4 2005-01-06 Thomas Chung <tchung@fedoranews.org> sub 1024g/D08816E2 2005-01-06
If you get 'gpg: WARNING: using insecure memory!' message
try 'setuid(root) permission on the gpg binary:
try 'setuid(root) permission on the gpg binary:
$ sudo chmod 4755 /usr/bin/gpg
To extract or export your public key from your key ring to a text file.
gpg --export -a 'Thomas Chung' > RPM-GPG-KEY-tchung
This file is necessary to import it to your RPM DB and verify a package with gpg key later on.
If you're planning to share your custom built RPM packages with others, make sure to have your public key file available online in public so they can verify your custom RPM package.
To import your public key to your RPM DB
sudo rpm --import RPM-GPG-KEY-tchung
Password:
Let's verify the list of gpg public keys in RPM DB:
rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-db42a60e-37ea5438 --> gpg(Red Hat, Inc <security@redhat.com>)
gpg-pubkey-4f2a6fd2-3f9d9d3b --> gpg(Fedora Project <fedora@redhat.com>)
gpg-pubkey-23a254d4-41ddbc46 --> gpg(Thomas Chung <tchung@fedoranews.org>)
Final step before the signing, configure your ~/.rpmmacros file to include the following:
%_signature gpg %_gpg_name Thomas Chung
gpg_name
%_gpg_name must be the name of the "user" whose key you wish to use to sign your packages.
%_gpg_name must be the name of the "user" whose key you wish to use to sign your packages.
Now, you're ready to sign your custom RPM package
rpm --addsign gyum-2.0-5.FC3.i386.rpm Enter pass phrase: Pass phrase is good. gyum-2.0-5.FC3.i386.rpm:
I've used '--addsign' since this package was not signed before.
If you wish to over write and re-sign the package, use '--resign' option
To check the signature, use following option and watch for 'gpg OK'
rpm --checksig gyum-2.0-5.FC3.i386.rpm gyum-2.0-5.FC3.i386.rpm: (sha1) dsa sha1 md5 gpg OK
To sign a package during it's been built, simply add '--sign':
rpmbuild -ba --sign
[1] [2] [3] [4] Signing rpms with gpg by Richard Bos
- ↑ http://www.redhat.com/docs/manuals/RHNetwork/ref-guide/chan-mgmt/3.6/custom-pkgs-digital-sig.html
- ↑ http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/ch-gnupg.html
- ↑ http://www.redhat.com/docs/books/max-rpm/max-rpm-html/ch-rpm-pgp.html
- ↑ http://www.gnupg.org/(en)/documentation/faqs.html
Auteur initial Thomas Chung on 2005-01-06