RPM驗證與數字簽名(Verify/Signature)

摘自：https://blog.csdn.net/rhel_admin/article/details/32382391 

2014年06月19日 23:17:42

閱讀數：2798

 

 

 

RPM驗證：

使用RPM數據庫(/var/lib/rpm)的內容來比對目前Linux系統RPM軟件文件，查看是否有改動。

簡單的用法：

     
     
     
             
 
              
 
               
 
                
 
               
 
               
 
                

                  $rpm -Va 
                 #驗證系統所有RPM包 
                
 
               
 
              
 
               
 
                
 
               
 
               
 
                

                  $rpm -V 已安裝的RPM包 
                 #驗證指定的RPM包 
                
 
               
 
              
 
               
 
                
 
               
 
               
 
                

                  $rpm -Vf 某個RPM包文件 
                 #驗證這個文件 
                
 
               
 
              
 
               
 
                
 
               
 
               
 
                

                  $rpm -Vf /etc/yum.conf 
                
 
               
 
              
 
               
 
                
 
               
 
               
 
                

                  S 
                 .5....T. c /etc/yum.conf 
                
 
               
 
              
 
               
 
                
 
               
 
               
 
                

                  $ 
                
 
               
 
             

現在來簡單的解釋一下驗證后的輸出，輸出一般來說有兩部分；

表示文件的9個屬性信息

• S file Size differs 文件大小是否被改動
• M Mode differs(includes permissions and file type) 文件的屬性和類型是否被改動
• 5 MD5 sum differs MD5內容是否被改動
  
• D Device major/minor number mismatch 設備的主/次代碼是否被改動
  
• L readLink(2) path mismatch Link路徑是否被改動
  
• U User ownership differs 文件的所有人是否被改動
  
• G Group ownership differs 文件的組是否被改動
  
• T mTime differs 文件的修改是否是否被改動
  
• P caPabilities differ   

表示文件格式的信息

• c %config configuration file 配置文件
  
• d %doc documentation file 文檔文件
  
• g %ghost file 通常是該文件不會被某個燃機所包含 較少發生
  
• l %license license file 許可證文件
  
• r %readme readme file 自述文件
  

RPM數字簽名：

這里主要從制作RPM的時候加入數字簽名，這里用的是GPG。

這里簡單說明一下GPG與PGP不同之處。來自與Fedora_RPM_documentation

GPG and PGP? Acronyms Explained
The RPM documentation uses GPG and PGP pretty much interchangeably, so much so, in fact, that you may think these are typographical errors. Not so.
PGP stands for Pretty Good Privacy. Invented by Phil Zimmerman, PGP was originally invented to encrypt e-mail to allow for private communication. Based on a public-key cryptography algorithm, PGP also supports encrypted digital signatures. These signatures allow you to verify that a package you have downloaded really comes from the vendor you think it does. You do this by using the vendor’s public key.
GPG stands for GNU Privacy Guard, a free, open-source implementation of PGP from the GNU project. GPG aims to be compatible with the OpenPGP Internet standard as defined in RFC 2440. It started when a number of developers wanted a free implementation. One such free implementation, GPG, allows Linux vendors such as Red Hat to include PGP in their products. So, in a sense, GPG provides PGP.
PGP has a long and somewhat troubled history as an open-source product and as a commercial product. See www.philzimmermann.com for background on PGP and its long history. See www.gnupg.org for more details on GPG.

手動生成數字簽名可查看官網：https://www.gentoo.org/doc/zh_cn/gnupg-user.xml 兩個注意事項

1. 創建數字認證之前要確保gpg-agent在運行，因為需要它穿件一個socket或者pipe用於連接 $gpg-agent --daemon --use-standard-socket
2. 創建數字認證的時候不要用su之后的用戶 如果用的話gpg-agent將會失敗 gpg-agent fails to launch/usr/bin/pinentry (which in turn decides whether to launchpinentry-curses, or a QT or GTK equivalent).

一旦有了數字認證key，就可以在制作RPM的時候設置相關數字簽名宏。添加下面的代碼到$HOME/.rpmmacros

     
     
     
             
 
              
 
               
 
                
 
               
 
               
 
                

                  %_signature gpg 
                
 
               
 
              
 
               
 
                
 
               
 
               
 
                

                  %_gpg_path /home/xxx/.gnupg 
                
 
               
 
              
 
               
 
                
 
               
 
               
 
                

                  %_gpg_name xxx <email address> 
                
 
               
 
              
 
               
 
                
 
               
 
               
 
                

                  %_gpgbin /usr/bin/gpg 
                
 
               
 
             

這樣就可以在制作RPM包的時候加上--sign參數來加上數字簽名。

$rpmbuild -ba --sign xxx.spec

也可以對現有的RPM包增加數字簽名。

$rpm --addsign package.rpm

也可以對現有的RPM修改數字簽名。

$rpm --resign package.rpm 

驗證一個RPM包的數字簽名

     
     
     
             
 
              
 
               
 
                
 
               
 
               
 
                

                  $rpm -K -v 
                 package.rpm 
                
 
               
 
              
 
               
 
                
 
               
 
               
 
                

                  $rpm -K -vv 
                 package.rpm