RPM验证与数字签名(Verify/Signature)

RPM验证：

使用RPM数据库(/var/lib/rpm)的内容来比对目前Linux系统RPM软件文件，查看是否有改动。数据库

简单的用法：app

     
 
      
       
        
       
       
       
         $rpm -Va 
        #验证系统全部RPM包 
        
       
 
      
       
        
       
       
       
         $rpm -V 已安装的RPM包 
        #验证指定的RPM包 
        
       
 
      
       
        
       
       
       
         $rpm -Vf 某个RPM包文件 
        #验证这个文件 
        
       
 
      
       
        
       
       
       
         $rpm -Vf /etc/yum.conf 
        
       
 
      
       
        
       
       
       
         S 
        .5....T. c /etc/yum.conf 
        
       
 
      
       
        
       
       
       
         $

如今来简单的解释一下验证后的输出，输出通常来讲有两部分；

表示文件的9个属性信息socket

S file Size differs 文件大小是否被改动
M Mode differs(includes permissions and file type) 文件的属性和类型是否被改动
5 MD5 sum differs MD5内容是否被改动
D Device major/minor number mismatch 设备的主/次代码是否被改动
L readLink(2) path mismatch Link路径是否被改动
U User ownership differs 文件的全部人是否被改动
G Group ownership differs 文件的组是否被改动
T mTime differs 文件的修改是不是否被改动
P caPabilities differ

表示文件格式的信息

c %config configuration file 配置文件
d %doc documentation file 文档文件
g %ghost file 一般是该文件不会被某个燃机所包含较少发生
l %license license file 许可证文件
r %readme readme file 自述文件

RPM数字签名：

这里主要从制做RPM的时候加入数字签名，这里用的是GPG。ide

这里简单说明一下GPG与PGP不一样之处。来自与Fedora_RPM_documentationpost

GPG and PGP? Acronyms Explained
The RPM documentation uses GPG and PGP pretty much interchangeably, so much so, in fact, that you may think these are typographical errors. Not so.
PGP stands for Pretty Good Privacy. Invented by Phil Zimmerman, PGP was originally invented to encrypt e-mail to allow for private communication. Based on a public-key cryptography algorithm, PGP also supports encrypted digital signatures. These signatures allow you to verify that a package you have downloaded really comes from the vendor you think it does. You do this by using the vendor’s public key.
GPG stands for GNU Privacy Guard, a free, open-source implementation of PGP from the GNU project. GPG aims to be compatible with the OpenPGP Internet standard as defined in RFC 2440. It started when a number of developers wanted a free implementation. One such free implementation, GPG, allows Linux vendors such as Red Hat to include PGP in their products. So, in a sense, GPG provides PGP.
PGP has a long and somewhat troubled history as an open-source product and as a commercial product. See www.philzimmermann.com for background on PGP and its long history. See www.gnupg.org for more details on GPG.

flex

手动生成数字签名可查看官网：https://www.gentoo.org/doc/zh_cn/gnupg-user.xml 两个注意事项
ui

建立数字认证以前要确保gpg-agent在运行，由于须要它穿件一个socket或者pipe用于链接 $gpg-agent --daemon --use-standard-socket
建立数字认证的时候不要用su以后的用户若是用的话gpg-agent将会失败 gpg-agent fails to launch/usr/bin/pinentry (which in turn decides whether to launchpinentry-curses, or a QT or GTK equivalent).

一旦有了数字认证key，就能够在制做RPM的时候设置相关数字签名宏。添加下面的代码到$HOME/.rpmmacros

     
 
      
       
        
       
       
       
         %_signature gpg 
        
       
 
      
       
        
       
       
       
         %_gpg_path /home/xxx/.gnupg 
        
       
 
      
       
        
       
       
       
         %_gpg_name xxx <email address> 
        
       
 
      
       
        
       
       
       
         %_gpgbin /usr/bin/gpg

这样就能够在制做RPM包的时候加上--sign参数来加上数字签名。

$rpmbuild -ba --sign xxx.spec

也能够对现有的RPM包增长数字签名。

$rpm --addsign package.rpm

也能够对现有的RPM修改数字签名。

$rpm --resign package.rpm

验证一个RPM包的数字签名

     
 
      
       
        
       
       
       
         $rpm -K -v 
        package.rpm 
        
       
 
      
       
        
       
       
       
         $rpm -K -vv 
        package.rpm