RPM驗證與數字簽名(Verify/Signature)

RPM驗證與數字簽名(Verify/Signature)

摘自:https://blog.csdn.net/rhel_admin/article/details/32382391 git

2014年06月19日 23:17:42
閱讀數:2798

 

 

 

RPM驗證:

使用RPM數據庫(/var/lib/rpm)的內容來比對目前Linux系統RPM軟件文件,查看是否有改動數據庫


簡單的用法:app

    
  1. $rpm -Va #驗證系統全部RPM包
  2. $rpm -V 已安裝的RPM包 #驗證指定的RPM包
  3. $rpm -Vf 某個RPM包文件 #驗證這個文件
  4. $rpm -Vf /etc/yum.conf
  5. S .5....T. c /etc/yum.conf
  6. $
如今來簡單的解釋一下驗證後的輸出,輸出通常來講有兩部分;

表示文件的9個屬性信息socket

  • S file Size differs 文件大小是否被改動
  • M Mode differs(includes permissions and file type) 文件的屬性和類型是否被改動
  • 5 MD5 sum differs MD5內容是否被改動
  • D Device major/minor number mismatch 設備的主/次代碼是否被改動
  • L readLink(2) path mismatch Link路徑是否被改動
  • U User ownership differs 文件的全部人是否被改動
  • G Group ownership differs 文件的組是否被改動
  • T mTime differs 文件的修改是不是否被改動
  • P caPabilities differ   
表示文件格式的信息
  • c %config configuration file 配置文件
  • d %doc documentation file 文檔文件
  • g %ghost file 一般是該文件不會被某個燃機所包含 較少發生
  • l %license license file 許可證文件
  • r %readme readme file 自述文件

RPM數字簽名:

這裏主要從製做RPM的時候加入數字簽名,這裏用的是GPG。ide

這裏簡單說明一下GPG與PGP不一樣之處。來自與Fedora_RPM_documentationpost

GPG and PGP? Acronyms Explained
The RPM documentation uses GPG and PGP pretty much interchangeably, so much so, in fact, that you may think these are typographical errors. Not so.
PGP stands for Pretty Good Privacy. Invented by Phil Zimmerman, PGP was originally invented to encrypt e-mail to allow for private communication. Based on a public-key cryptography algorithm, PGP also supports encrypted digital signatures. These signatures allow you to verify that a package you have downloaded really comes from the vendor you think it does. You do this by using the vendor’s public key.
GPG stands for GNU Privacy Guard, a free, open-source implementation of PGP from the GNU project. GPG aims to be compatible with the OpenPGP Internet standard as defined in RFC 2440. It started when a number of developers wanted a free implementation. One such free implementation, GPG, allows Linux vendors such as Red Hat to include PGP in their products. So, in a sense, GPG provides PGP.
PGP has a long and somewhat troubled history as an open-source product and as a commercial product. See www.philzimmermann.com for background on PGP and its long history. See www.gnupg.org for more details on GPG.

flex

手動生成數字簽名可查看官網:https://www.gentoo.org/doc/zh_cn/gnupg-user.xml 兩個注意事項
ui

  1. 建立數字認證以前要確保gpg-agent在運行,由於須要它穿件一個socket或者pipe用於鏈接 $gpg-agent --daemon --use-standard-socket
  2. 建立數字認證的時候不要用su以後的用戶 若是用的話gpg-agent將會失敗 gpg-agent fails to launch/usr/bin/pinentry (which in turn decides whether to launchpinentry-curses, or a QT or GTK equivalent).
一旦有了數字認證key,就能夠在製做RPM的時候設置相關數字簽名宏。添加下面的代碼到$HOME/.rpmmacros

    
  1. %_signature gpg
  2. %_gpg_path /home/xxx/.gnupg
  3. %_gpg_name xxx <email address>
  4. %_gpgbin /usr/bin/gpg


這樣就能夠在製做RPM包的時候加上--sign參數來加上數字簽名。

$rpmbuild -ba --sign xxx.spec


也能夠對現有的RPM包增長數字簽名。

$rpm --addsign package.rpm


也能夠對現有的RPM修改數字簽名。

$rpm --resign package.rpm


驗證一個RPM包的數字簽名
    
  1. $rpm -K -v package.rpm
  2. $rpm -K -vv package.rpm
相關文章
相關標籤/搜索