RPM驗證:
使用RPM資料庫(/var/lib/rpm)的内容來比對目前Linux系統RPM軟體檔案,檢視是否有改動。
簡單的用法:
$rpm -Va #驗證系統所有RPM包
$rpm -V 已安裝的RPM包 #驗證指定的RPM包
$rpm -Vf 某個RPM封包件 #驗證這個檔案
$rpm -Vf /etc/yum.conf
S.5....T. c /etc/yum.conf
$
現在來簡單的解釋一下驗證後的輸出,輸出一般來說有兩部分;
表示檔案的9個屬性資訊
S file Size differs 檔案大小是否被改動
M Mode differs(includes permissions and file type) 檔案的屬性和類型是否被改動
5 MD5 sum differs MD5内容是否被改動
D Device major/minor number mismatch 裝置的主/次代碼是否被改動
L readLink(2) path mismatch Link路徑是否被改動
U User ownership differs 檔案的所有人是否被改動
G Group ownership differs 檔案的組是否被改動
T mTime differs 檔案的修改是否是否被改動
P caPabilities differ
表示檔案格式的資訊
c %config configuration file 配置檔案
d %doc documentation file 文檔檔案
g %ghost file 通常是該檔案不會被某個燃機所包含 較少發生
l %license license file 許可證檔案
r %readme readme file 自述檔案
RPM數字簽名:
這裡主要從制作RPM的時候加入數字簽名,這裡用的是GPG。
這裡簡單說明一下GPG與PGP不同之處。來自與Fedora_RPM_documentation
GPG and PGP? Acronyms Explained
The RPM documentation uses GPG and PGP pretty much interchangeably, so much so, in fact, that you may think these are typographical errors. Not so.
PGP stands for Pretty Good Privacy. Invented by Phil Zimmerman, PGP was originally invented to encrypt e-mail to allow for private communication. Based on a public-key cryptography algorithm, PGP also supports encrypted digital signatures. These signatures allow you to verify that a package you have downloaded really comes from the vendor you think it does. You do this by using the vendor’s public key.
GPG stands for GNU Privacy Guard, a free, open-source implementation of PGP from the GNU project. GPG aims to be compatible with the OpenPGP Internet standard as defined in RFC 2440. It started when a number of developers wanted a free implementation. One such free implementation, GPG, allows Linux vendors such as Red Hat to include PGP in their products. So, in a sense, GPG provides PGP.
PGP has a long and somewhat troubled history as an open-source product and as a commercial product. See www.philzimmermann.com for background on PGP and its long history. See www.gnupg.org for more details on GPG.
手動生成數字簽名可檢視官網:https://www.gentoo.org/doc/zh_cn/gnupg-user.xml 兩個注意事項
建立數字認證之前要確定gpg-agent在運作,因為需要它穿件一個socket或者pipe用于連接配接 $gpg-agent --daemon --use-standard-socket
建立數字認證的時候不要用su之後的使用者 如果用的話gpg-agent将會失敗 gpg-agent fails to launch/usr/bin/pinentry (which in turn decides whether to launchpinentry-curses, or a QT or GTK equivalent).
一旦有了數字認證key,就可以在制作RPM的時候設定相關數字簽名宏。添加下面的代碼到$HOME/.rpmmacros
%_signature gpg
%_gpg_path /home/xxx/.gnupg
%_gpg_name xxx
%_gpgbin /usr/bin/gpg
這樣就可以在制作RPM包的時候加上--sign參數來加上數字簽名。
$rpmbuild -ba --sign xxx.spec
也可以對現有的RPM包增加數字簽名。
$rpm --addsign package.rpm
也可以對現有的RPM修改數字簽名。
$rpm --resign package.rpm
驗證一個RPM包的數字簽名
$rpm -K -v package.rpm
$rpm -K -vv package.rpm