Use the Gnu Privacy Protection key to sign Linux RPM files

RPM is the standard for installing and managing software on Red Hat and SUSE. Metadata Package processing software such as Yum and Zypper can easily install software packages. However, RPM may be risky because it automatically executes the script with the root permission during installation. Therefore, make sure that the RPM package you are using is trustworthy. If the RPM package is created by yourself,Use the Gnu Privacy Protection (GnuPG or GPG) Key to sign them.Is a good idea.

GPG uses public/private key pairs to ensure confidentiality. You can use them to encrypt files or make sure that the mail is indeed a digital signature issued by the sender in the list. They can also be used to sign the PRM package.

When you sign an RPM package, the creator of the RPM package needs to sign up. This signature can be used to check the GPG key. The key should be public and can be used by the user who installs the software package. If the signature matches the public GPG key, the user downloading the software package will get a guarantee that the software package is signed by the GPG key bundled with it. This program is very convenient, but it does not provide a 100% guarantee. If the source of the provided software package is cracked by hackers, both the RPM software package and key may be forged. The signed software package does enhance the security of the software package, because hackers need to execute two hacker programs before providing the forged package.

If you want to provide the signed RPM package, you need the following applications:

1. Create a GPG key pair.

This will generate a multi-purpose universal key pair. To create a key, run the GPG -- gen-key command and specify the key attributes. Before a key is generated, You need to generate some random data, so make sure that the disk is active to speed up the key generation process. The following is the result of the GPG -- gen-key command:

gpg: key 455F7CBF marked as ultimately trustedpublic and secret key created and signed.gpg: checking the trustdbgpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust modelgpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2upub 1024R/455F7CBF 2011-04-07Key fingerprint = 4C78 4A47 1B84 E769 4ADD C43D 31DA C76F 455F 7CBFuid Sander van Vugtsub 1024R/68D74CDD 2011-04-07

2. Now that you have a key pair, you need the key ID. To use the key ID, you must create a key file.

The key ID is shown in pub, the command output line of GPG. In the preceding example, the key ID is 455F7CBF. The following command creates a file in the home directory of the current user that can be used to sign the key value:

gpg -a -o ~/RPM-GPG-KEY-test --export 455F7CBF

3. Next, in the same user's home directory,You must create a. rpmmacros file with the following content:

%_gpg_name 455F7CBF

4. In this step, you can sign the software package again.

The following command is used to sign the RPM package created in the RPM Created directory:

rpm --resign ~/rpmbuild/RPMS/x86_64/test-1.0-1.fc14.x86_64.rpm

5. In this step, you have a signed software package and a key that the user uses to verify the integrity of the software package used.

You need to publish the key of the signed software package. However, you need to test it first. The following two commands implement a local test. The first command introduces the GPG software package, and the next command uses the local installation of yum to install the software package without starting the library.

rpm --import ~/RPM-GPG-KEY-testyum localinstall ~/rpmbuild/RPMS/x86_64/test-1.0-1.fc14.x86_64.rpm