深刻理解Yum的gpgcheck
深刻理解 Yum 的 gpgcheck
學習教程
Secure distribution of RPM packagesjava
實驗測試 gpg
-
建立私有庫 privateRepolinux
mkdir /home/privateRepo/
-
上傳未簽名的 rpm 包至/home/privateRepo/sql
rpm -pqi /home/privateRepo/jdk-10.0.1_linux-x64_bin.rpm Name : jdk-10.0.1 Relocations: /usr/java Version : 10.0.1 Vendor: Oracle America Release : ga Build Date: Tue 27 Mar 2018 01:24:18 AM GMT Install Date: (not installed) Build Host: sca00ida.us.oracle.com Group : Development/Tools Source RPM: jdk-10.0.1-10.0.1-ga.src.rpm Size : 578524676 License: http://java.com/license Signature : (none) URL : URL_REF Summary : Java Platform Standard Edition Development Kit Description : The Java Platform Standard Edition Development Kit (JDK) includes both the runtime environment (Java Virtual Machine, the Java platform classes and supporting files) and development tools (compilers, debuggers,
-
添加 gpgcheckcentos
vi /etc/yum.repos.d/privateRepo.repo [privateRepo] name=privateRepo-gpg-test baseurl=file:///home/privateRepo enabled=1 gpgcheck=1
-
構建索引安全
createrepo /home/privateRepo/ Spawning worker 0 with 1 pkgs Workers Finished Gathering worker results Saving Primary metadata Saving file lists metadata Saving other metadata Generating sqlite DBs Sqlite DBs complete
-
yum 查詢bash
yum clean all yum list|grep jdk jdk-10.0.1.x86_64 2000:10.0.1-ga privateRepo
-
安裝 jdk-10.0.1.x86_64服務器
yum install jdk-10.0.1.x86_64 Loaded plugins: fastestmirror, post-transaction-actions Setting up Install Process Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package jdk-10.0.1.x86_64 2000:10.0.1-ga will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================ Installing: jdk-10.0.1 x86_64 2000:10.0.1-ga privateRepo 306 M Transaction Summary ============================================================================================================================================ Install 1 Package(s) Total download size: 306 M Installed size: 552 M Is this ok [y/N]: y Downloading Packages: Package jdk-10.0.1_linux-x64_bin.rpm is not signed
- 安裝失敗
-
加簽名oracle
gpg --list-keys /home/nobody/.gnupg/pubring.gpg ------------------------------- pub 2048R/230C0099 2016-03-15 uid Gavin Ni <guani@cisco.com> sub 2048R/3E679AEF 2016-03-15
gpg --export -a guani@cisco.com > /home/nobody/privateRepo.key
rpm --define '_gpg_name Gavin Ni' --define '_gpg_path /home/nobody/.gnupg' --addsign /home/privateRepo/jdk-10.0.1_linux-x64_bin.rpm Enter pass phrase: gpg: WARNING: unsafe ownership on homedir `/home/nobody/.gnupg' Pass phrase is good. /home/privateRepo/jdk-10.0.1_linux-x64_bin.rpm: gpg: WARNING: unsafe ownership on homedir `/home/nobody/.gnupg' gpg: WARNING: unsafe ownership on homedir `/home/nobody/.gnupg'
-
驗證 signapp
rpm -pqi /home/privateRepo/jdk-10.0.1_linux-x64_bin.rpm Name : jdk-10.0.1 Relocations: /usr/java Version : 10.0.1 Vendor: Oracle America Release : ga Build Date: Tue 27 Mar 2018 01:24:18 AM GMT Install Date: (not installed) Build Host: sca00ida.us.oracle.com Group : Development/Tools Source RPM: jdk-10.0.1-10.0.1-ga.src.rpm Size : 578524676 License: http://java.com/license Signature : RSA/SHA1, Thu 30 Aug 2018 03:30:08 AM GMT, Key ID 952e62c3230c0099 URL : URL_REF Summary : Java Platform Standard Edition Development Kit Description : The Java Platform Standard Edition Development Kit (JDK) includes both the runtime environment (Java Virtual Machine, the Java platform classes and supporting files) and development tools (compilers, debuggers, tool libraries and other tools).
-
安裝,不過安裝失敗post
yum install jdk-10.0.1.x86_64 Loaded plugins: fastestmirror, post-transaction-actions Setting up Install Process Loading mirror speeds from cached hostfile qa_mav_centos6 | 1.2 kB 00:00 qa_mav_centos6.7_noarch | 1.2 kB 00:00 qa_mav_centos6.7_x86_64 | 1.2 kB 00:00 Resolving Dependencies --> Running transaction check ---> Package jdk-10.0.1.x86_64 2000:10.0.1-ga will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================ Installing: jdk-10.0.1 x86_64 2000:10.0.1-ga privateRepo 306 M Transaction Summary ============================================================================================================================================ Install 1 Package(s) Total download size: 306 M Installed size: 552 M Is this ok [y/N]: y Downloading Packages: Error Downloading Packages:2000:jdk-10.0.1-10.0.1-ga.x86_64: failure: jdk-10.0.1_linux-x64_bin.rpm from privateRepo: [Errno 256] No more mirrors to try.
-
須要從新 createrepo
createrepo /home/privateRepo/
-
仍然安裝失敗
[root@mtRobincmc001 yum.repos.d]# yum install jdk-10.0.1.x86_64 Loaded plugins: fastestmirror, post-transaction-actions Setting up Install Process Loading mirror speeds from cached hostfile qa_mav_centos6 | 1.2 kB 00:00 qa_mav_centos6.7_noarch | 1.2 kB 00:00 qa_mav_centos6.7_x86_64 | 1.2 kB 00:00 Resolving Dependencies --> Running transaction check ---> Package jdk-10.0.1.x86_64 2000:10.0.1-ga will be installed --> Finished Dependency Resolution Dependencies Resolved Package Arch Version Repository Size ============================================================================================================================================ Installing: jdk-10.0.1 x86_64 2000:10.0.1-ga privateRepo 306 M Transaction Summary ============================================================================================================================================ Install 1 Package(s) Total download size: 306 M Installed size: 552 M Is this ok [y/N]: y Downloading Packages: jdk-10.0.1_linux-x64_bin.rpm | 306 MB 00:04 warning: rpmts_HdrFromFdno: Header V4 RSA/SHA1 Signature, key ID 230c0099: NOKEY Public key for jdk-10.0.1_linux-x64_bin.rpm is not installed
-
導入public key
gpg --export -a rpmsign@example.com > /home/privateRepo/example-com.key
-
yum添加gpgkey
[privateRepo] name=privateRepo-gpg-test baseurl=file:///home/privateRepo enabled=1 gpgcheck=1 gpgkey=file:///home/privateRepo/privateRepo.key
-
再次安裝,安裝成功
root@mtRobincmc001 ~]# yum install jdk Loaded plugins: fastestmirror, post-transaction-actions Setting up Install Process Loading mirror speeds from cached hostfile qa_mav_centos6 | 1.2 kB 00:00 qa_mav_centos6.7_noarch | 1.2 kB 00:00 qa_mav_centos6.7_x86_64 | 1.2 kB 00:00 Resolving Dependencies --> Running transaction check ---> Package jdk-10.0.1.x86_64 2000:10.0.1-ga will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================ Installing: jdk-10.0.1 x86_64 2000:10.0.1-ga privateRepo 306 M Transaction Summary ============================================================================================================================================ Install 1 Package(s) Total download size: 306 M Installed size: 552 M Is this ok [y/N]: y Downloading Packages: jdk-10.0.1_linux-x64_bin.rpm | 306 MB 00:03 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 2000:jdk-10.0.1-10.0.1-ga.x86_64 1/1 Unpacking JAR files... plugin.jar... javaws.jar... deploy.jar... cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/16x16/apps/sun-java.png': No such file or directory cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/16x16/apps/sun-javaws.png': No such file or directory cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/48x48/apps/sun-java.png': No such file or directory cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/48x48/apps/sun-javaws.png': No such file or directory cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/48x48/apps/sun-java.png': No such file or directory cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/48x48/apps/sun-javaws.png': No such file or directory Running post transaction command: /opt/mav/bin/mav-event "yum_event" "install jdk-10.0.1-10.0.1-ga.x86_64 @ %DTE% from privateRepo 2000" Verifying : 2000:jdk-10.0.1-10.0.1-ga.x86_64 1/1 Installed: jdk-10.0.1.x86_64 2000:10.0.1-ga Complete!
-
總結
- /etc/yum.repos.d/privateRepo.repo 做用域爲 yum 客戶端
- privateRepo.repo 中的 gpgcheck=1 隻影響 install 環節,不影響服務器端的索引創建(createrepo),不過 加簽後,須要從新 createrepo
安全的 RPM 私有庫
- 用 https 下載 RPM
- 用 gpg 給 RPM 加簽
- 確保 gpgcheck=1
- 用 https 下載 gpg 的公鑰 public key
相關文章
- 1. 深刻理解webpack的require.context
- 2. iOS Block的深刻理解
- 3. 深刻理解golang 的棧
- 4. JSON.stringify() 的深刻理解
- 5. BFC的深刻理解
- 6. Python的深刻理解
- 7. 對JDK的深刻理解
- 8. 對MVC的深刻理解
- 9. 深刻理解iOS的block
- 10. 對`timescale的深刻理解
- 更多相關文章...
- • MyBatis的工作原理 - MyBatis教程
- • ARP協議的工作機制詳解 - TCP/IP教程
- • 算法總結-深度優先算法
- • Docker 清理命令
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 深刻理解webpack的require.context
- 2. iOS Block的深刻理解
- 3. 深刻理解golang 的棧
- 4. JSON.stringify() 的深刻理解
- 5. BFC的深刻理解
- 6. Python的深刻理解
- 7. 對JDK的深刻理解
- 8. 對MVC的深刻理解
- 9. 深刻理解iOS的block
- 10. 對`timescale的深刻理解