runsisi's

technical notes

rpm gpg 签名

2019-02-01 runsisi#gpg#rpm

虽然我们在使用 yum repo 的时候经常设置 gpgcheck = 0,但实际上官方的 rpm 都是有 gpg 签名的,可以用来校验 rpm 包的合法性(是否被篡改过,是否是伪造的包等)。

CentOS 官方的 gpg key(公钥)都放在 /etc/pki/rpm-gpg/ 目录下:

~$ ls /etc/pki/rpm-gpg/
RPM-GPG-KEY-CentOS-7 RPM-GPG-KEY-CentOS-Debug-7 RPM-GPG-KEY-CentOS-Testing-7 RPM-GPG-KEY-EPEL-7 RPM-GPG-KEY-remi RPM-GPG-KEY-remi2017 RPM-GPG-KEY-remi2018

可以通过如下的命令查询所有已安装的 key:

~$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release}\t%{summary}\n'
gpg-pubkey-f4a80eb5-53a7ff4b gpg(CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>)
gpg-pubkey-2c52609d-55a59f6e gpg(Docker Release Tool (releasedocker) <docker@docker.com>)
gpg-pubkey-352c64e5-52ae6884 gpg(Fedora EPEL (7) <epel@fedoraproject.org>)
gpg-pubkey-8c430b95-59e2e1b7 gpg(ngompa_snapcore-el7 (None) <ngompa#snapcore-el7@copr.fedorahosted.org>)
gpg-pubkey-00f97f56-467e318a gpg(Remi Collet <RPMS@FamilleCollet.com>)
gpg-pubkey-759d8517-5a5068a3 gpg(xxx <xxx@example.com>)

以及查询某个 key 的具体信息:

~$ rpm -qi gpg-pubkey-759d8517-5a5068a3
Name : gpg-pubkey
Version : 759d8517
Release : 5a5068a3
Architecture: (none)
Install Date: Mon 05 Nov 2018 08:21:40 PM CST
Group : Public Keys
Size : 0
License : pubkey
Signature : (none)
Source RPM : (none)
Build Date : Sat 06 Jan 2018 02:11:47 PM CST
Build Host : localhost
Relocations : (not relocatable)
Packager : xxx <xxx@example.com>
Summary : gpg(xxx <xxx@example.com>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.11.3 (NSS-3)
mQENBFpQaKMBCACZVo6Wvnv9oEyG7ciBbEzuwzrUHo9s/kVirscelN0cpQNI9pGl
UCc30pMYjcQr6otO//QCihBYwqyjhwcOnEHxjNjRsydZ+kEV+Uil9rscBCagwpn6
lAhmcXKslMuiYHQi0BL5cAmcnJ7Obw72hYzaH7wteWZZgDsjvYy3Sxs47U7AhJ1C
hXXJC8v2amlsbLg/CQGySQ6rdcPMy9bOOKsmU8cRU96nbkaULeZKQ9sMDtvjljqY
...

可以通过如下命令导入 key:

~$ sudo rpm --import XXX-RELEASE-GPG-KEY

也可以删除 key:

~$ sudo rpm -e gpg-pubkey-759d8517-5a5068a3

可以查询一个 rpm 包校验签名所需的 key,注意其中的 Signature 字段的后 8个字符,即所需的 key 的 id(由于当前机器没有导入该 key,实际上在输出的第一行 warning 里就打印出来所需的 key id 了):

~$ rpm -qpi ceph/12.2.9-1-90.el7/x86_64/ceph-common-12.2.9-1.90.g6f2bab3.el7.x86_64.rpm
warning: ceph/12.2.9-1-90.el7/x86_64/ceph-common-12.2.9-1.90.g6f2bab3.el7.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 759d8517: NOKEY
Name        : ceph-common
Epoch       : 2
Version     : 12.2.9
Release     : 1.90.g6f2bab3.el7
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 51967132
License     : LGPL-2.1 and CC-BY-SA-3.0 and GPL-2.0 and BSL-1.0 and BSD-3-Clause and MIT
Signature   : RSA/SHA1, Mon 05 Nov 2018 12:54:10 AM CST, Key ID c08d7ae1759d8517
Source RPM  : ceph-12.2.9-1.90.g6f2bab3.el7.src.rpm
Build Date  : Mon 05 Nov 2018 12:41:47 AM CST
...

可以使用如下的命令校验签名,下面的输出分别对应机器上已导入 key 和未导入 key 两种情况:

rpm -K, --checksig

~$ rpm -K ceph/12.2.9-1-90.el7/x86_64/ceph-common-12.2.9-1.90.g6f2bab3.el7.x86_64.rpm
ceph/12.2.9-1-90.el7/x86_64/ceph-common-12.2.9-1.90.g6f2bab3.el7.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#759d8517)

~$ rpm -K ceph/12.2.9-1-90.el7/x86_64/ceph-common-12.2.9-1.90.g6f2bab3.el7.x86_64.rpm
ceph/12.2.9-1-90.el7/x86_64/ceph-common-12.2.9-1.90.g6f2bab3.el7.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

需要特别注意的是,rpm 虽然支持使用 subkey 进行签名,但不支持使用 subkey 进行校验,所以不要使用 subkey 进行签名!

yum 安装时忽略 gpg 签名校验:

~$ yum install --nogpgcheck <package>

参考资料

How to list, import and remove archive signing keys on CentOS 7

https://linuxconfig.org/how-to-list-import-and-remove-archive-signing-keys-on-centos-7

signing an RPM with a GPG key

http://cholla.mmto.org/computers/linux/rpm/signing.html

How to sign rpms with GPG

https://access.redhat.com/articles/3359321

CHECKING A PACKAGE’S SIGNATURE

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-check-rpm-sig

rpm signing with subkeys

https://www.redhat.com/archives/rpm-list/2006-November/msg00105.html

GPG Signing Key

https://github.com/cloudkeep/barbican/wiki/GPG-Signing-Key