How to sign your custom RPM package with GPG key

rpm-digital-signature.sh

# How to sign your custom RPM package with GPG key

# Step: 1
# Generate gpg key pair (public key and private key)
#
# You will be prompted with a series of questions about encryption.
# Simply select the default values presented. You will also be asked
# to create a Real Name, Email Address and Comment (comment optional).
# 
# If you get the following response:
# -----------------------------------------------------------------------
# We need to generate a lot of random bytes. It is a good idea to perform
# some other action (type on the keyboard, move the mouse, utilize the
# disks) during the prime generation; this gives the random number
# generator a better chance to gain enough entropy.
# -----------------------------------------------------------------------
# Open up a separate terminal, ssh into your server and run this command:
# ls -R /

gpg --gen-key

# Step: 2
# Verify your gpg keys were created

gpg --list-keys

# Step: 3
# Export your public key from your key ring to a text file.
#
# You will use the information for Real Name and Email you used to
# create your key. I used Fernando Aleman and faleman@email.com

gpg --export -a 'Fernando Aleman' > RPM-GPG-KEY-faleman

# Step: 4
# Import your public key to your RPM DB
#
# If you plan to share your custom built RPM packages with others, make sure
# to have your public key file available online so others can verify RPMs

sudo rpm --import RPM-GPG-KEY-faleman

# Step: 5
# Verify the list of gpg public keys in RPM DB

rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'

# Step: 6
# Configure your ~/.rpmmacros file
#
# You can use the following command to edit if you are on the server:
# vi ~/.rpmmacros
#
# %_signature => This will always be gpg
# %_gpg_path  => Enter full path to .gnupg in your home directory
# %_gpg_name  => Use the Real Name you used to create your key
# %_gpbin     => run `which gpg` (without ` marks) to get full path 

%_signature gpg
%_gpg_path /root/.gnupg
%_gpg_name Fernando Aleman
%_gpgbin /usr/bin/gpg

# Step: 7
# Sign your custom RPM package
#
# You can sign each RPM file individually:

rpm --addsign git-1.7.7.3-1.el6.x86_64.rpm

# Or you can `cd` into your RPMS folder and sign them all:

rpm --addsign *.rpm

# Step: 8
# Check the signature to make sure it was signed
#
# Watch for 'gpg OK' as in this example:
# git-1.7.7.3-1.el6.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK

rpm --checksig git-1.7.7.3-1.el6.x86_64.rpm

# Tip!
# Sign package during build
#
# To sign a package while it's being built, simply add '--sign'

rpmbuild -ba --sign git.spec

rpm-gpg.md

RPM GPG
荣涛 2022-07-08

文档修改日志

日期	修改内容	修改人	备注
2022-07-08	创建	荣涛

引言

RPM 包签名可用于实现 RPM 包的加密完整性检查。这种方法是端到端的，因为供应商的软件包构建基础设施可以使用离线或半在线私钥(例如存储在硬碟安全模组中的私钥) ，而使用这些软件包的最终系统可以直接验证签名，因为这些签名是内置在。转速包文件。代理和缓存(有时用于将生产服务器与 Internet 分离)等中间设备不能篡改这些签名。

下面的步骤描述了生成 GPG 密钥和使用该密钥签名 RPM 的过程。

命令行概览

# 生成 gpg 密钥对
$ gpg --gen-key

# 查看 gpg 密钥
$ gpg --list-keys
$ rpm -qi gpg-pubkey

# 保存公钥
$ gpg --export -a 'Rong Tao' > RPM-GPG-KEY-rongtao

# 导入公钥
$ sudo rpm --import RPM-GPG-KEY-rongtao

# 为 rpm 包签名
$ rpm --addsign zstd-1.4.4-1.cl8.x86_64.rpm

# 检查签名
$ rpm --checksig zstd-1.4.4-1.cl8.x86_64.rpm
$ rpm -v --checksig zstd-1.4.4-1.cl8.x86_64.rpm

# 查看详细信息(签名算法)
$ rpm -q --qf '%{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' -p zstd-1.4.4-1.cl8.x86_64.rpm

# 删除 rpm 签名
$ rpm --delsign zstd-1.4.4-1.cl8.x86_64.rpm

gpg 密钥的生成

生成 gpg 密钥对

$ gpg --gen-key

期间将提示你输入用户名和邮箱

$ gpg --gen-key

[... 省略一些行]

Real name: Rong Tao
Email address: rongtao@cestc.cn
You selected this USER-ID:
    "Rong Tao <rongtao@cestc.cn>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O

[... 省略一些行]

public and secret key created and signed.

pub   rsa2048 2022-07-08 [SC] [expires: 2024-07-07]
      7DD6D1BC7622264D5B0667153F2FA11D3D67D70B
uid                      Rong Tao <rongtao@cestc.cn>
sub   rsa2048 2022-07-08 [E] [expires: 2024-07-07]

查看 gpg 密钥

$ gpg --list-keys

输出为

$ gpg --list-keys
/home/rongtao/.gnupg/pubring.kbx
--------------------------------
pub   rsa2048 2022-07-08 [SC] [expires: 2024-07-07]
      7DD6D1BC7622264D5B0667153F2FA11D3D67D70B
uid           [ultimate] Rong Tao <rongtao@cestc.cn>
sub   rsa2048 2022-07-08 [E] [expires: 2024-07-07]

也可以用 rpm 命令查看完整信息

$ rpm -qi gpg-pubkey

保存 gpg 公钥

# ‘Rong Tao’ 为生成密钥对过程的 ‘Real name: Rong Tao’
$ gpg --export -a 'Rong Tao'

$ gpg --export -a 'Rong Tao'
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGLHhywBDACixZALQyorrr4lUCiu/PDmSihI72+1yfN+mPoSu+QdIA1A0GPM
[省略很多行]
vFdLRyPUBWjvfQib3YTRiQPubV41W6dTq1x0Yj9RxScNoVQmP6SkAOSNI21T7m2Q
wTKwAJxTtn0a3VJ2/SgriLLRYfd4Rg==
=Kv54
-----END PGP PUBLIC KEY BLOCK-----

将其保存到文件

$ gpg --export -a 'Rong Tao' > RPM-GPG-KEY-rongtao

gpg 密钥的导入

$ sudo rpm --import RPM-GPG-KEY-rongtao

• 列出已导入的 gpg key

# 简要信息
$ rpm -q gpg-pubkey
gpg-pubkey-3a9aa709-62ac1c98
gpg-pubkey-3d67d70b-62c786a5

# 详细信息
$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-3a9aa709-62ac1c98 --> gpg(My Build Service <obsrun@localhost>)
gpg-pubkey-3d67d70b-62c786a5 --> gpg(Rong Tao <rongtao@cestc.cn>)

为 rpm 签名

• 首先为使用 gpg key 修改或创建 ~/.rpmmacros，文件内容：

%_signature gpg
%_gpg_path /root/.gnupg
%_gpg_name Rong Tao
%_gpgbin /usr/bin/gpg2
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 0 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}'

注意需要改的几项：

• _gpg_path: 改为自己生成 gnupg 的路径
• _gpg_name: 改为生成过程的 Real name: Rong Tao
• --passphrase-fd: 在红帽原文档中这个值为3有问题，改为0后正常

以为上述宏存在问题[#]

%_signature gpg
%_gpg_path /root/.gnupg
%_gpg_name Rong Tao
%_gpgbin /usr/bin/gpg

• 为 rpm 包签名

$ rpm --addsign zstd-1.4.4-1.cl8.x86_64.rpm

• 检查签名

也就是是否能装到本机上的检查是否通过

$ rpm --checksig zstd-1.4.4-1.cl8.x86_64.rpm

也可以显示详细信息

$ rpm -v --checksig zstd-1.4.4-1.cl8.x86_64.rpm
zstd-1.4.4-1.cl8.x86_64.rpm:
    Header V3 RSA/SHA1 Signature, key ID ec6c7238: NOKEY
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA1 Signature, key ID ec6c7238: NOKEY
    MD5 digest: OK

• 查看详细信息(签名算法)

$ rpm -q --qf '%{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' -p zstd-1.4.4-1.cl8.x86_64.rpm

删除 rpm 签名

$ rpm --delsign zstd-1.4.4-1.cl8.x86_64.rpm

gpg 密钥的修改

上面会生成.gnupg 文件夹，对应的详细信息

# 详细信息
$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-3a9aa709-62ac1c98 --> gpg(My Build Service <obsrun@localhost>)
gpg-pubkey-3d67d70b-62c786a5 --> gpg(Rong Tao <rongtao@cestc.cn>)

问题

1. 签名后，rpm 包坏了

# 签名
$ rpm --addsign zstd-1.4.4-1.cl8.x86_64.rpm
zstd-1.4.4-1.cl8.x86_64.rpm:
error: zstd-1.4.4-1.cl8.x86_64.rpm: open failed: Permission denied

# rpm 坏了？？
$ rpm -qpi zstd-1.4.4-1.cl8.x86_64.rpm
error: zstd-1.4.4-1.cl8.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 3d67d70b: BAD
error: zstd-1.4.4-1.cl8.x86_64.rpm: not an rpm package (or package manifest)

# 查看详细信息
$ rpm -v --checksig zstd-1.4.4-1.cl8.x86_64.rpm
zstd-1.4.4-1.cl8.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID ba79374d: BAD
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA256 Signature, key ID ba79374d: BAD
    MD5 digest: OK

# 删除后再次查看
$ rpm --delsign zstd-1.4.4-1.cl8.x86_64.rpm
zstd-1.4.4-1.cl8.x86_64.rpm:

$ rpm -v --checksig zstd-1.4.4-1.cl8.x86_64.rpm
zstd-1.4.4-1.cl8.x86_64.rpm:
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    MD5 digest: OK

删除签名，重新签名

$ rpm --delsign zstd-1.4.4-1.cl8.x86_64.rpm

• 为什么出现这个问题？

Header V4 RSA/SHA256 Signature, key ID ba79374d: BAD
V4 RSA/SHA256 Signature, key ID ba79374d: BAD

有个相同的问题 Header V4 RSA/SHA1 Signature, key ID 7bd9bf62: BAD，但是原因并不一样。

不得不说，GitHub:How to sign your custom RPM package with GPG key 的方法比红帽How to sign rpms with GPG的方法更成功，解决了这个问题。

参考链接

• Redhat:How to sign rpms with GPG
• GitHub:How to sign your custom RPM package with GPG key，fork的Rtoax/rpm-digital-signature.sh

Copyright (C) CESTC Com.

RedHat: How to sign rpms with GPG