How to sign rpms with GPG
RPM package signatures can be used to implement cryptographic integrity checks for RPM packages. This approach is end-to-end in the sense that the package build infrastructure at the vendor can use an offline or half-online private key (such as one stored in hardware security module), and the final system which consumes these packages can directly verify the signatures because they are built into the .rpm package files. Intermediates such as proxies and caches (which are sometimes used to separate production servers from the Internet) cannot tamper with these signatures.
The following steps describes the process of generating a GPG key and signing RPMs with the key.
-
First generate a
gpgkey pair on the machine.[root@localhost ~]# gpg --gen-key GnuPG needs to construct a user ID to identify your key. ... Real name: Package Manager Email address: pmanager@example.com Comment: RPM Signing Key You selected this USER-ID: "Package Manager (RPM Signing Key) <pmanager@example.com>" ... gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u pub 2048R/B74246CE 2017-03-22 Key fingerprint = BCE7 1F72 7D86 E857 2B3F 1790 7255 CF3E B742 46CE uid Package Manager (RPM Signing Key) <pmanager@example.com> sub 2048R/D8FA7BFF 2017-03-22 -
Confirm and see the generated key.
[root@localhost ~]# gpg --list-keys /root/.gnupg/pubring.gpg ------------------------ pub 2048R/B74246CE 2017-03-22 uid Package Manager (RPM Signing Key) <pmanager@example.com> sub 2048R/D8FA7BFF 2017-03-22 -
Export the Public key.
[root@localhost ~]# gpg --export -a 'Package Manager' > RPM-GPG-KEY-pmanager [root@localhost ~]# cat RPM-GPG-KEY-pmanager -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux) mQENBFjSgckBCADob86RSLTExhr8T/P69vz4MjE2EDHUmCN+tFYUaDgmkpZBpU40 Qs6WdOuBUvXevPQfKCj1OaRTouzGGGsvv7W/hHIKZ1IdY5HOXHbHZdkcghnaAGTj VdctgkXyLj+qMI9mvRAMaHiiTbD8AoPsT/uGMeg94R3FhO5hgXDQc5xADhvXU3+8 MzeBmaYxAYRZ65Vc/8XgAPMDK+kIZZ0VQMB0Gzxio2OCMTy7uNg9QOqkYhPuVYh8 GarrP6bZNzeImT8k615/+9rYo9Ys0mY4tq0N4RlZCjhJ/PIMoRjhEgtGe643DXUh EMpk477niWvolaE3PxZjFXRGxQN/VjjWoy9vABEBAAG0OFB1c2hwZW5kcmEgQ2hh dmFuIChSUE0gU2lnbmluZyBLZXkpIDxwY2hhdmFuQHJlZGhhdC5jb20+iQE5BBMB AgAjBQJY0oHJAhsDBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQclXPPrdC Rs4mxwf6AwPEHK3ZWCUTjj9uJlVIM3lU+9F5aFOgns2cY6msR3Y+spOVVkBqq97V v3bgRbhU2W+0RXIRxnyOMn9LrBkcPCjujfPZ7gIBpfrJpOpH26PZEPyVvj07ZRv5 5DFaJgccnr7LKwp22pn8byK1yK5BDZMg6/U9mK5MoRsfmc/fC4I25gT3aIBxV7hj swb7gbNOx3ZzQT7dJwQIFkznpY2XuKAwaZrpZNwttF74xW8oYjXatNsGNSNmNgFh 7rtqAwBWTN54zg+qojk+eX4zMmldpWqvHATlh8cc4Wzj40bBI8Ifaq/QTl0dY3t2 nzd1afgbwx4lTt5VjBQ8KJzSNSn0lbkBDQRY0oHJAQgApsX9jRxstyJMhaQr57Re voOkIT6z6mz8OpdGf2QHiXyVFYiRVv5njDl+hv9jtQ3XNmnInwi/Xs4OL5j6mE8r cetr4ngPowVeCbwqcZeP53S5/K4Klg+7G7Sut1oNQlh7qPbut/glgiu3zqwbl4rO Vs5iMGoQtZazQxHKby611Gka2yky/JSrnVLb7Hxsoe9/yT1+cmeelzv2hZA7cEqx XHykDAoiULepcfau3scUatZexyTNMne3nlLFSnVxz4PRy9/+l0jb2m2lA5Yl9U4G 45JD+FJ/jflcSGW9wFD8B4Sgb8QAhVffbjzHrof0Bbxbxwc5ilYExXBtuSJao1Cd bwARAQABiQEfBBgBAgAJBQJY0oHJAhsMAAoJEHJVzz63QkbOIs4IALXiE2B+I2/D 9//YhHGAXy7VQ3qKZBxuS0zxTHnzD+gLs+xIeCrLKJxpJ3beTxSdBRge/DQUkMXq F/j9vKHFFTf0Hx/IGj2ujdUdQ2ILoTJMsfQXprqPTAJ0t5oPGwIF+fBxmJjQ6DgM YbbQS2qMpK3YFCmKQHZQhwvn3r7jERWZpJr6pYYYkwqhmj1MXIxuJDGDgTH3VZl0 g9FkYYhGy8dU4CFSoRGuTtcVX+VzI8/lU544K1HE7uLwkz40PP+zBpQ3QqxLC2MV voKkk10tyrv3xf+PimsnQmV3GKgfMoRLVTP0pP2YN8SS+aSGNPDwfKWKNkNRNc3/ ZVDQUeETOh4= =aTMv -----END PGP PUBLIC KEY BLOCK----- -
Import the exported public key into
rpmdatabase as follows.[root@localhost ~]# rpm --import RPM-GPG-KEY-pmanager [root@localhost ~]# rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' gpg-pubkey-fd431d51-4ae0493b --> gpg(Red Hat, Inc. (release key 2) <security@redhat.com>) gpg-pubkey-2fa658e0-45700c69 --> gpg(Red Hat, Inc. (auxiliary key) <security@redhat.com>) gpg-pubkey-b74246ce-58d281c9 --> gpg(Package Manager (RPM Signing Key) <pmanager@example.com>) -
Edit the file
~/.rpmmacrosin order to utilize the key.[root@localhost ~]# vi .rpmmacros [root@localhost ~]# cat .rpmmacros %_signature gpg %_gpg_path /root/.gnupg %_gpg_name Package Manager %_gpgbin /usr/bin/gpg2 -
Verify that the
__gpg_sign_cmdis defined in--showrcoption. Its not required to define this parameter in the~/.rpmmacrosabove since its already defined in default macros unless there is a requirement to tweak the options forgpgsinging command.[root@localhost ~]# rpm --showrc | grep __gpg_sign_cmd -A 5 -13: __gpg_sign_cmd %{__gpg} gpg --no-verbose --no-armor %{?_gpg_digest_algo:--digest-algo %{_gpg_digest_algo}} --no-secmem-warning %{?_gpg_sign_cmd_extra_args:%{_gpg_sign_cmd_extra_args}} -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename} -
Sign the
rpm.[root@localhost ~]# rpm --addsign test-1-0.x86_64.rpm Enter pass phrase: Pass phrase is good. test-1-0.x86_64.rpm: gpg: writing to `/var/tmp/rpm-tmp.JO74Hd.sig' gpg: RSA/SHA256 signature from: "B74246CE Package Manager (RPM Signing Key) <pmanager@example.com>" gpg: writing to `/var/tmp/rpm-tmp.hG5gUG.sig' gpg: RSA/SHA256 signature from: "B74246CE Package Manager (RPM Signing Key) <pmanager@example.com>" [root@localhost ~]# rpm --checksig test-1-0.x86_64.rpm test-1-0.x86_64.rpm: rsa sha1 (md5) pgp md5 OK [root@localhost ~]# rpm -qp --qf '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none)}|}|\n' test-1-0.x86_64.rpm RSA/SHA256, Wed 22 Mar 2017 07:57:29 AM MDT, Key ID 7255cf3eb74246ce -
rpm -Kstill shows generic output becauseSHA1(andMD5) digests are an integral part ofrpmpackages, -
Use the above command in order to confirm the sign algorithm.
Comments