|
 |
2ff057 |
/*! \page signatures Signature header
|
|
|
2ff057 |
|
|
|
2ff057 |
The 2.1 release of RPM had a few improvements in the area of
|
|
|
2ff057 |
digital package signatures. The usage of PGP has been cleaned
|
|
|
2ff057 |
up and extended, the signature section in the RPM file format
|
|
|
2ff057 |
has been made easily extensible with new signature types, and
|
|
|
2ff057 |
packages can have multiple signatures.
|
|
|
2ff057 |
|
|
|
2ff057 |
\section signatures_pgp PGP
|
|
|
2ff057 |
|
|
|
2ff057 |
Legacy usage of PGP in rpm-2.0 was cumbersome, and only supported
|
|
|
2ff057 |
1024 bit keys. Both of these problems have been corrected in rpm-2.1.
|
|
|
2ff057 |
|
|
|
2ff057 |
Whereas previously you needed many rpmrc entries to clue in
|
|
|
2ff057 |
RPM about keyring locations and such, RPM now behaves as PGP
|
|
|
2ff057 |
users would expect. The PGPPATH environment variable can be
|
|
|
2ff057 |
used to specify keyring locations. You can also use a
|
|
|
2ff057 |
"%_pgpbin" line in your macros file to specify a different value
|
|
|
2ff057 |
for RPM to use for PGPPATH. If neither of these are used PGP
|
|
|
2ff057 |
uses its default ($HOME/.pgp).
|
|
|
2ff057 |
|
|
|
2ff057 |
If you just want to verify packages, you need to supply values
|
|
|
2ff057 |
for the macros
|
|
|
2ff057 |
\verbatim
|
|
|
2ff057 |
%_pgpbin the path to the pgp executable
|
|
|
2ff057 |
%_signature the type of signature to use
|
|
|
2ff057 |
\endverbatim
|
|
|
2ff057 |
|
|
|
2ff057 |
In order to be able to sign packages, you may also have to
|
|
|
2ff057 |
supply values for
|
|
|
2ff057 |
\verbatim
|
|
|
2ff057 |
%_pgp_name the pgp signature to use for signing
|
|
|
2ff057 |
%_pgp_path the path to the key ring
|
|
|
2ff057 |
\endverbatim
|
|
|
2ff057 |
|
|
|
2ff057 |
\section signatures_signing Signing Packages
|
|
|
2ff057 |
|
|
|
2ff057 |
Signature creation is the same as previous releases: just add
|
|
|
2ff057 |
a --sign to your build command line. You can sign a package
|
|
|
2ff057 |
after the package is built with:
|
|
|
2ff057 |
|
|
|
2ff057 |
\verbatim
|
|
|
2ff057 |
rpm --resign <package>
|
|
|
2ff057 |
\endverbatim
|
|
|
2ff057 |
|
|
|
2ff057 |
Using --resign removes any previous signature in the package.
|
|
|
2ff057 |
To *add* a signature to a package, leaving all existing
|
|
|
2ff057 |
signatures use:
|
|
|
2ff057 |
|
|
|
2ff057 |
\verbatim
|
|
|
2ff057 |
rpm --addsign <package>
|
|
|
2ff057 |
\endverbatim
|
|
|
2ff057 |
|
|
|
2ff057 |
RPM always creates MD5 and SIZE signatures when it build
|
|
|
2ff057 |
packages, which means that packages built without --sign can
|
|
|
2ff057 |
be "verified" to some extent. The MD5 signature should catch
|
|
|
2ff057 |
problems like corrupt packages, faulty downloads, etc.
|
|
|
2ff057 |
|
|
|
2ff057 |
\section signatures_verifying Verifying Package Signatures
|
|
|
2ff057 |
|
|
|
2ff057 |
Package signature verification is the same as previous releases:
|
|
|
2ff057 |
|
|
|
2ff057 |
\verbatim
|
|
|
2ff057 |
rpm -K <package>
|
|
|
2ff057 |
\endverbatim
|
|
|
2ff057 |
|
|
|
2ff057 |
RPM will verify every signature in the package, which may include
|
|
|
2ff057 |
more than one PGP signature. The output indicates what types of
|
|
|
2ff057 |
signatures are being checked. If any checks fail you'll see a
|
|
|
2ff057 |
"NOT OK" message, and you should be worried.
|
|
|
2ff057 |
|
|
|
2ff057 |
If you have a package with PGP signatures, but don't have PGP
|
|
|
2ff057 |
installed, but still want to verify it as much as possible, you
|
|
|
2ff057 |
can do:
|
|
|
2ff057 |
|
|
|
2ff057 |
\verbatim
|
|
|
2ff057 |
rpm -K --nopgp <package>
|
|
|
2ff057 |
\endverbatim
|
|
|
2ff057 |
|
|
|
2ff057 |
That will cause RPM to skip any PGP signatures, but still check
|
|
|
2ff057 |
any others (currently only MD5 and SIZE).
|
|
|
2ff057 |
|
|
|
2ff057 |
*/
|