B.2. Digital Signatures for Red Hat Network Packages

All packages distributed through Red Hat Network should have a digital signature. A digital signature is created with a unique private key and can be verified with the corresponding public key. After creating a package, the SRPM (Source RPM) and the RPM can be digitally signed with a GnuPG key. Before the package is installed, the public key is used to verify the package was signed by a trusted party and the package has not changed since it was signed.

B.2.1. Generating a GnuPG Keypair

A GnuPG keypair consists of the private and public keys. To generate a keypair:
  1. Type the following command as the root user on the shell prompt:
    gpg --gen-key
    GPG Keypairs should not be created by non-root users. The root user can lock memory pages which means the information is never written to disk, unlike non-root users.
  2. After executing the command to generate a keypair, an introductory screen containing key options similar to the following will appear:
    gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    Please select what kind of key you want:
       (1) RSA and RSA (default)
       (2) DSA and Elgamal
       (3) DSA (sign only)
       (4) RSA (sign only)
    Your selection?
    
  3. Choose the option 1 and then press Enter.
  4. Choose the key size, which is how long the key should be. The longer the key, the more resistant against attacks the messages are. Creating a key of at least 2048 bits in size is recommended.
  5. The next option will ask to specify how long the key needs to be valid. When choosing an expiration date, remember that anyone using the public key must also be informed of the expiration and supplied with a new public key. It is recommended to not select an expiration date. If an expiration date is not specified, you are asked to confirm your decision:
    Key does not expire at all Is this correct (y/n)?
    
  6. Press y to confirm your decision.
  7. Provide a User-ID containing your name, your email address, and an optional comment. Each of these is requested individually. When finished, you are presented with a summary of the information you entered.
  8. Accept your choices and enter a passphrase.

    Note

    Like your account passwords, a good passphrase is essential for optimal security in GnuPG. Mix your passphrase with uppercase and lowercase letters, use numbers, and/or include punctuation marks.
  9. Once you enter and verify your passphrase, the keys are generated. A message similar to the following appears:
    We need to generate a lot of random bytes. It is a good idea to perform some
    other action (type on the keyboard, move the mouse, utilize the disks)
    during the prime generation; this gives the random number generator a
    better chance to gain enough entropy.
    
    +++++.+++++.++++++++....++++++++++..+++++.+++++.+++++++.+++++++ +++.
    ++++++++++++++++++++++++++++++++++++++..........................++++
    
    When the activity on the screen ceases, your new keys are placed in the directory .gnupg in root's home directory. This is the default location of keys generated by the root user.
To list the root keys, use the command:
gpg --list-keys
The output is similar to the following:
gpg: key D97D1329 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2013-08-28
pub   2048D/D97D1329 2013-08-27 [expires: 2013-08-28]
      Key fingerprint = 29C7 2D2A 5F9B 7FF7 6411  A9E7 DE3E 5D0F D97D 1329
uid                   Your Name<you@example.com>
sub   2048g/0BE0820D 2013-08-27 [expires: 2013-08-28]
To retrieve the public key, use the following command:
gpg --export -a 'Your Name' > public_key.txt
The public key is written to the file public_key.txt.
This public key is quite important. It's the key that must be deployed to all client systems that receive custom software through yum. Techniques for deploying this key across an organization are covered in the Red Hat Network Client Configuration Guide.

B.2.2. Signing packages

Before signing packages, configure the ~/.rpmmacros file to include the following:
%_signature gpg
%_gpg_name B7085C8A
Replace the _gpg_name key ID value of B7085C8A with the key ID from your GPG keyring that you use to sign packages. This value tells RPM which signature to use.
To sign the package package-name-1.0-1.noarch.rpm, use the following command:
rpm --resign package-name-1.0-1.noarch.rpm
Enter your passphrase. To make sure the package is signed, use the following command:
rpm --checksig -v package-name-1.0-1.noarch.rpm

Note

Before running the rpm --checksig -v command, import the gpg key. See Section B.2.3, “Importing Custom GPG Keys” in the next section for more information.
You should see the phrase Good signature from "Your Name" in the output, with Your Name replaced with the name associated with the signing key.

B.2.3. Importing Custom GPG Keys

For customers who plan to build and distribute their own RPMs securely, it is strongly recommended that all custom RPMs are signed using GNU Privacy Guard (GPG). Generating GPG keys and building GPG-signed packages are covered in theSection B.2.1, “Generating a GnuPG Keypair”.
Once the packages are signed, the public key must be deployed on all systems importing these RPMs. This task has two steps: first, create a central location for the public key so that clients may retrieve it, and second, adding the key to the local GPG keyring for each system.
The first step is common and may be handled using the website approach recommended for deploying Red Hat Network client applications. To do this, create a public directory on the Web server and place the GPG public signature in it:
cp /some/path/YOUR-RPM-GPG-KEY /var/www/html/pub/
The key can then be downloaded by client systems using Wget:
wget -O- -q http://your_proxy_or_sat.your_domain.com/pub/YOUR-RPM-GPG-KEY
The -O- option sends results to standard output while the -q option sets Wget to run in quiet mode. Remember to replace the YOUR-RPM-GPG-KEY variable with the filename of your key.
Once the key is available on the client file system, import it into the local GPG keyring. Different operating systems require different methods.
For Red Hat Enterprise Linux 3 or later, use the following command:
rpm --import /path/to/YOUR-RPM-GPG-KEY
Once the GPG key has been successfully added to the client, the system should be able to validate custom RPMs signed with the corresponding key.

Note

When using custom RPMs and channels, always create a custom GPG key for these packages. The location of the GPG key also needs to be added to the Kickstart profile.
The custom GPG key needs to be added to the client systems or the Kickstart installation may fail.