mat*_*tdm 31 rpm packaging cryptography gpg
可以使用该rpm -K命令验证 RPM 的加密签名。如果签名在 RPM 的数据库中并且有效,这将返回一个包含gpg(或pgp) 并以 结尾的字符串OK。
如果包未签名但校验和有效,您仍然会得到OK,但不会得到gpg。
如果包已签名但密钥从 RPM 数据库中丢失,您会得到(GPG)(大写字母)和NOT OKAY,后跟(MISSING KEYS: GPG#deadbeef).
如果我想弄清楚我应该找到什么密钥来安装我的包安装工作,这很方便。
但是,如果我想验证RPM 密钥环中的哪些密钥用于对给定的包进行签名,该怎么办?
小智 32
有一个通过 列出的签名字段rpm -qpi package.rpm,例如:
[vagrant@vm-one ~]$ rpm -qpi puppet-3.7.4-1.el6.noarch.rpm
Name : puppet
Version : 3.7.4
Release : 1.el6
Architecture: noarch
Install Date: (not installed)
Group : System Environment/Base
Size : 6532300
License : ASL 2.0
Signature : RSA/SHA512, Tue 27 Jan 2015 11:17:18 PM UTC, Key ID 1054b7a24bd6ec30
Source RPM : puppet-3.7.4-1.el6.src.rpm
Build Date : Mon 26 Jan 2015 11:48:15 PM UTC
Build Host : tahoe.delivery.puppetlabs.net
Relocations : (not relocatable)
Vendor : Puppet Labs
URL : http://puppetlabs.com
Summary : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.
Phi*_*bin 16
rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n'
小智 9
要找出 RPM 数据库中的哪个 GPG 密钥签署了特定的 rpm,请执行以下操作:
列出 RPM 数据库中的所有 GPG 密钥:
$ rpm -qa gpg-pubkey*
...
...
gpg-pubkey-b1275ea3-546d1808
...
...
首先确保有问题的 rpm是用 RPM 数据库中的密钥签名的:
$ rpm -K hp/mlnx-en-utils-2.2-1.0.7.0.g0055740.rhel6u4.x86_64.rpm
hp/mlnx-en-utils-2.2-1.0.7.0.g0055740.rhel6u4.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
您正在寻找最后的 OK,而不是“NOT OK (MISSING KEYS”),这意味着它已被签名,但密钥不在您的 RPM 数据库中。
是的,所以我们正在检查的 rpm 已由我们的 RPM 数据库中的密钥签名。
然后获取 rpm 签名的密钥 ID:
$ rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' -p hp/mlnx-en-utils-2.2-1.0.7.0.g0055740.rhel6u4.x86_64.rpm
mlnx-en-utils-2.2-1.0.7.0.g0055740.rhel6u4 RSA/SHA1, Tue Apr 14 12:34:51 2015, Key ID fadd8d64b1275ea3 (none)
现在您可以看到密钥 ID的最后 8 个字符(即 fadd8d64b1275ea3 中的 b1275ea3)是否对应于第一个命令中 gpg-pubkey- 之后的 8 个字符中的任何一个。在这种情况下,它确实如此!
然后你有问题的关键,所以做:
$ rpm -qi gpg-pubkey-b1275ea3-546d1808
在这个例子中,可以看到是 HP 的密钥签署了这个 rpm。
希望这可以帮助。我花了一段时间才弄清楚。:-)
发出less <rpm file>并检查Signature条目,例如:
[vagrant@vm-one ~]$ less artifactory-3.5.3.rpm
Name : artifactory
Version : 3.5.3
Release : 30172
Architecture: noarch
Install Date: (not installed)
Group : Development/Tools
Size : 42286184
License : LGPL
Signature : (none)
Source RPM : artifactory-3.5.3-30172.src.rpm
Build Date : Thu 19 Mar 2015 04:47:04 PM UTC
Build Host : artbuild2.jfrog.local
Relocations : (not relocatable)
Vendor : JFrog Ltd.
URL : http://www.jfrog.org
Summary : Binary Repository Manager
Description :
The best binary repository manager around.
-rwxrwxr-x 1 root root 7891 Mar 19 16:47 /etc/init.d/artifactory
drwxr-xr-x 2 artifactartifact 0 Mar 19 16:47 /etc/opt/jfrog/artifactory
-rwxrwx--- 1 artifactartifact 9855 Mar 19 16:47 /etc/opt/jfrog/artifactory/artifactory.config.xml
-rwxrwx--- 1 artifactartifact 11172 Mar 19 16:47 /etc/opt/jfrog/artifactory/artifactory.system.properties
-rwxrwx--- 1 artifactartifact 457 Mar 19 16:47 /etc/opt/jfrog/artifactory/default
-rwxrwx--- 1 artifactartifact 6858 Mar 19 16:47 /etc/opt/jfrog/artifactory/logback.xml
-rwxrwx--- 1 artifactartifact 5470 Mar 19 16:47 /etc/opt/jfrog/artifactory/mimetypes.xml
drwxrwxr-x 2 root root 0 Mar 19 16:47 /opt/jfrog
drwxrwxr-x 2 root root 0 Mar 19 16:47 /opt/jfrog/artifactory/bin
-rwxrwxr-x 1 root root 103424 Mar 19 16:47 /opt/jfrog/artifactory/bin/artifactory-service.exe
-rwxrwxr-x 1 root root 1366 Mar 19 16:47 /opt/jfrog/artifactory/bin/artifactory.bat
-rwxrwxr-x 1 root root 457 Mar 19 16:47 /opt/jfrog/artifactory/bin/artifactory.default
artifactory-3.5.3.rpm