RPM驗證:
使用RPM數據庫(/var/lib/rpm)的內容來比對目前Linux系統RPM軟件文件,查看是否有改動。數據庫
簡單的用法:app
如今來簡單的解釋一下驗證後的輸出,輸出通常來講有兩部分;
表示文件的9個屬性信息socket
- S file Size differs 文件大小是否被改動
- M Mode differs(includes permissions and file type) 文件的屬性和類型是否被改動
- 5 MD5 sum differs MD5內容是否被改動
- D Device major/minor number mismatch 設備的主/次代碼是否被改動
- L readLink(2) path mismatch Link路徑是否被改動
- U User ownership differs 文件的全部人是否被改動
- G Group ownership differs 文件的組是否被改動
- T mTime differs 文件的修改是不是否被改動
- P caPabilities differ
- c %config configuration file 配置文件
- d %doc documentation file 文檔文件
- g %ghost file 一般是該文件不會被某個燃機所包含 較少發生
- l %license license file 許可證文件
- r %readme readme file 自述文件
RPM數字簽名:
這裏主要從製做RPM的時候加入數字簽名,這裏用的是GPG。ide
這裏簡單說明一下GPG與PGP不一樣之處。來自與Fedora_RPM_documentationpost
GPG and PGP? Acronyms Explained
The RPM documentation uses GPG and PGP pretty much interchangeably, so much so, in fact, that you may think these are typographical errors. Not so.
PGP stands for Pretty Good Privacy. Invented by Phil Zimmerman, PGP was originally invented to encrypt e-mail to allow for private communication. Based on a public-key cryptography algorithm, PGP also supports encrypted digital signatures. These signatures allow you to verify that a package you have downloaded really comes from the vendor you think it does. You do this by using the vendor’s public key.
GPG stands for GNU Privacy Guard, a free, open-source implementation of PGP from the GNU project. GPG aims to be compatible with the OpenPGP Internet standard as defined in RFC 2440. It started when a number of developers wanted a free implementation. One such free implementation, GPG, allows Linux vendors such as Red Hat to include PGP in their products. So, in a sense, GPG provides PGP.
PGP has a long and somewhat troubled history as an open-source product and as a commercial product. See www.philzimmermann.com for background on PGP and its long history. See www.gnupg.org for more details on GPG.
flex
手動生成數字簽名可查看官網:https://www.gentoo.org/doc/zh_cn/gnupg-user.xml 兩個注意事項
ui
- 建立數字認證以前要確保gpg-agent在運行,由於須要它穿件一個socket或者pipe用於鏈接 $gpg-agent --daemon --use-standard-socket
- 建立數字認證的時候不要用su以後的用戶 若是用的話gpg-agent將會失敗 gpg-agent fails to launch/usr/bin/pinentry (which in turn decides whether to launchpinentry-curses, or a QT or GTK equivalent).
$rpmbuild -ba --sign xxx.spec
$rpm --addsign package.rpm
$rpm --resign package.rpm