B.2. Digital Signatures for Red Hat Network Packages
B.2.1. Generating a GnuPG Keypair
- Type the following command as the root user on the shell prompt:
gpg --gen-keyGPG Keypairs should not be created by non-root users. The root user can lock memory pages which means the information is never written to disk, unlike non-root users.
- After executing the command to generate a keypair, an introductory screen containing key options similar to the following will appear:
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?
- Choose the option
1and then press Enter.
- Choose the key size, which is how long the key should be. The longer the key, the more resistant against attacks the messages are. Creating a key of at least 2048 bits in size is recommended.
- The next option will ask to specify how long the key needs to be valid. When choosing an expiration date, remember that anyone using the public key must also be informed of the expiration and supplied with a new public key. It is recommended to not select an expiration date. If an expiration date is not specified, you are asked to confirm your decision:
Key does not expire at all Is this correct (y/n)?
- Press y to confirm your decision.
- Provide a User-ID containing your name, your email address, and an optional comment. Each of these is requested individually. When finished, you are presented with a summary of the information you entered.
- Accept your choices and enter a passphrase.
NoteLike your account passwords, a good passphrase is essential for optimal security in GnuPG. Mix your passphrase with uppercase and lowercase letters, use numbers, and/or include punctuation marks.
- Once you enter and verify your passphrase, the keys are generated. A message similar to the following appears:
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++.+++++.++++++++....++++++++++..+++++.+++++.+++++++.+++++++ +++. ++++++++++++++++++++++++++++++++++++++..........................++++When the activity on the screen ceases, your new keys are placed in the directory
.gnupgin root's home directory. This is the default location of keys generated by the root user.
gpg: key D97D1329 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u gpg: next trustdb check due at 2013-08-28 pub 2048D/D97D1329 2013-08-27 [expires: 2013-08-28] Key fingerprint = 29C7 2D2A 5F9B 7FF7 6411 A9E7 DE3E 5D0F D97D 1329 uid Your Name<email@example.com> sub 2048g/0BE0820D 2013-08-27 [expires: 2013-08-28]
gpg --export -a 'Your Name' > public_key.txt
yum. Techniques for deploying this key across an organization are covered in the Red Hat Network Client Configuration Guide.
B.2.2. Signing packages
~/.rpmmacrosfile to include the following:
%_signature gpg %_gpg_name B7085C8A
_gpg_namekey ID value of B7085C8A with the key ID from your GPG keyring that you use to sign packages. This value tells RPM which signature to use.
rpm --resign package-name-1.0-1.noarch.rpm
rpm --checksig -v package-name-1.0-1.noarch.rpm
rpm --checksig -vcommand, import the gpg key. See Section B.2.3, “Importing Custom GPG Keys” in the next section for more information.
B.2.3. Importing Custom GPG Keys
cp /some/path/YOUR-RPM-GPG-KEY /var/www/html/pub/
wget -O- -q http://your_proxy_or_sat.your_domain.com/pub/YOUR-RPM-GPG-KEY
-O-option sends results to standard output while the
-qoption sets Wget to run in quiet mode. Remember to replace the YOUR-RPM-GPG-KEY variable with the filename of your key.
rpm --import /path/to/YOUR-RPM-GPG-KEY