---------------------------------------------------
我們自己制作的rpm包,為了防止被篡改,一般要使用私鑰進行簽名,然後将公鑰廣而告之,下載下傳使用軟體包的話,可以通過公鑰進行驗證簽名,進而確定檔案的原始性。
1、查詢工具包是否安裝
# whereis gpg
gpg: /usr/bin/gpg /usr/share/man/man1/gpg.1.gz
# rpm -qf /usr/bin/gpg
gnupg2-2.0.14-4.el6.x86_64
得出已經安裝,由gnupg管理
2、自己知道了一個rpm包:qemu-img;還沒簽名,我們現在安裝試試會出現什麼
# yum --disablerepo=\* --enablerepo=c6-media install qemu-img
Loaded plugins: fastestmirror, refresh-packagekit
Loading mirror speeds from cached hostfile
* c6-media:
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package qemu-img.x86_64 2:0.12.1.2-2.113.el6 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
Installing:
qemu-img x86_64 2:0.12.1.2-2.113.el6 c6-media 343 k
Transaction Summary
Install 1 Package(s)
Upgrade 0 Package(s)
Total download size: 343 k
Installed size: 597 k
Is this ok [y/N]: y
Downloading Packages:
Package qemu-img-0.12.1.2-2.113.el6.x86_64.rpm is not signed
對,就是報此rpm包沒有簽名;解決方法有,修改/etc/yum.repos.d/CentOS-Media.repo中gpgcheck=0不驗證包,但這不是我們要的結果
3、查詢系統是否包含gpg key
# gpg --list-key
沒有任何輸出
4、正式開始簽名
# gpg --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: keyring `/root/.gnupg/secring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 4 #RSA比較流行
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) #直接回車
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) #0代表永不過期
Key does not expire at all
Is this correct? (y/N) y #确認
GnuPG needs to construct a user ID to identify your key.
Real name: ecdata #姓名
Email address: [email protected] #郵箱
Comment: custom #注釋
You selected this USER-ID:
"ecdata (custom) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O #大些字母O,确認
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Enter passphrase x
x x
x Passphrase ***********_____________________________ x輸入密碼
x <OK> <Cancel> x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
x Please re-enter this passphrase x
x Passphrase ***********_____________________________ x再次輸入
can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
此時應該多移動滑鼠、敲鍵盤,生成足夠多的随機數,或直接另一終端執行du /等指令
gpg: key 8CD0BA9F marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/8CD0BA9F 2011-12-21
Key fingerprint = 6245 8B36 E982 2920 1A54 BA1C 10DE 1087 8CD0 BA9F
uid ecdata (custom) <[email protected]>
Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a subkey for this purpose.
可以了,此時可能需要添加個“subkey”
# gpg --edit-key ecdata 此為剛key的name
Command> help 查詢到用addkey指令
addkey add a subkey
Command> addkey
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Please enter the passphrase to unlock the secret key for the OpenPGP certificate: x
x "ecdata (custom) <[email protected]>" x
x 2048-bit RSA key, ID 8CD0BA9F, x
x created 2011-12-21. x
x x
x Passphrase ***********____________________________________________________________ x
x <OK> <Cancel> x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj此為以後解剛secret key所用
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 6
What keysize do you want? (2048)
Key is valid for? (0) 0
Is this correct? (y/N) y
Really create? (y/N) y
---------------------瘋狂移動滑鼠吧(如果嫌煩,直接循環代勞 # for (( a=1;a<=1000;a++ ));do du /;done )
pub 2048R/8CD0BA9F created: 2011-12-21 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048R/1E6D98D0 created: 2011-12-21 expires: never usage: E
[ultimate] (1). ecdata (custom) <[email protected]>
Command> save
可以了
5、檢視下成果
/root/.gnupg/pubring.gpg
------------------------
sub 2048R/1E6D98D0 2011-12-21
6、修改rpm宏,使用我們的密鑰對:
引用
# echo %_signature gpg >> ~/.rpmmacros
# echo "%_gpg_name ecdata (custom)" >> ~/.rpmmacros
7、對已有rpm軟體包進行簽名:
# rpm --addsign /media/CentOS/Packages/qemu-img-0.12.1.2-2.113.el6.x86_64.rpm
Enter pass phrase: 輸入剛制作密鑰對的密碼
Pass phrase is good.
/media/CentOS/Packages/qemu-img-0.12.1.2-2.113.el6.x86_64.rpm:
+++++++++在rpmbuild打包時簽名:
# rpmbuild --sign --ta hello-0.1-1.tar.gz
+++++++++
8、我們先将gpg産生的公鑰導出到一個檔案,然後将這個公鑰檔案導入到RPM資料庫裡,然後使用rpm指令進行檢驗。
如果不先導入到rpm資料庫,驗證結果是這樣的
# rpm -K /media/CentOS/Packages/qemu-img-0.12.1.2-2.113.el6.x86_64.rpm
/media/CentOS/Packages/qemu-img-0.12.1.2-2.113.el6.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#8cd0ba9f)
導出公鑰到一個文本文檔:
# gpg --export -a "ecdata (custom)" > RPM-GPG-KEY-ECDATA
檢視rpm資料庫中已有的公鑰:
# rpm -q gpg-pubkey-*
package gpg-pubkey-* is not installed
# rpm --import RPM-GPG-KEY-ECDATA
gpg-pubkey-8cd0ba9f-4ef12761 這是上步導入的
現在再來驗證下RPM包
/media/CentOS/Packages/qemu-img-0.12.1.2-2.113.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
9、安裝
# rpm -ivh Packages/qemu-img-0.12.1.2-2.113.el6.x86_64.rpm
Preparing... ########################################### [100%]
1:qemu-img ########################################### [100%]
沒有報類似警告
warning: qemu-img-0.12.1.2-2.113.el6.x86_64.rpm: Header V3 RSA/SHA1 signature: NOKEY, key ID c0eb63c7
但是此時yum安裝還不行,繼續(注意順序)
# cp RPM-GPG-KEY-ECDATA /etc/pki/rpm-gpg/
# createrepo -g repodata/comps.xml .
# cat /etc/yum.repos.d/CentOS-Media.repo 添加修改如下
............................
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ECDATA
# yum clean all
Determining fastest mirrors
c6-media | 1.9 kB 00:00 ...
c6-media/primary | 1.7 MB 00:00 ...
c6-media 3696/3696
======================================================================================================================================
Package Arch Version Repository Size
qemu-img x86_64 2:0.12.1.2-2.113.el6 c6-media 344 k
===========================================================================================================================
Total download size: 344 k
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 2:qemu-img-0.12.1.2-2.113.el6.x86_64 1/1
Installed:
qemu-img.x86_64 2:0.12.1.2-2.113.el6
Complete!
。。。。。。。。完成
10、對其他自定義的rpm繼續簽名
# rpm --resign Packages/qemu-kvm-0.12.1.2-2.113.el6.x86_64.rpm
再次(必須)
![Linux下rpm 方式 安裝mysql 以及解除安裝mysql[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)