您当前的位置:首页 > 计算机 > 系统应用 > Linux

rpm包的签名问题笔记

时间:07-18来源:作者:点击数:

写这个起因是因为日常安装rpm包就rpm -ivh xxx.rpm 搞定,但很多时候或者大部分时候会报一行警告:

123

虽然这个警告对安装没任何影响,不过好奇心让我想弄明白这到底是咋回事。

这里下两个rpm包回来,一个是从

http://rpmfind.net/linux/centos/8-stream/BaseOS/x86_64/os/Packages/lsscsi-0.32-3.el8.x86_64.rpm下载

另外一个从UOS的源里面下载。

[root@localhost rpm]# ls -lh
总用量 1.7M
-rw-r--r-- 1 root root 1.6M 10月 22 10:08 bash-doc-5.1.4-1.uelc20.x86_64.rpm
-rw-r--r-- 1 root root  72K 8月  25 15:27 lsscsi-0.32-3.el8.x86_64.rpm

首先,来洞察一下这两个rpm,看下包头里面都有啥

[root@localhost rpm]# rpm -qpf --xml ./lsscsi-0.32-3.el8.x86_64.rpm  | more
警告:./lsscsi-0.32-3.el8.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID 8483c65d: NOKEY
<rpmHeader>
  <rpmTag name="Headeri18ntable">
        <string>C</string>
  </rpmTag>
  <rpmTag name="Sigsize">
        <integer>67332</integer>
  </rpmTag>
  <rpmTag name="Sigpgp">
        <base64>iQIVAwUAYSZTfAW1VbOEg8ZdAQgi8Q/+O+fhD6nlJjC+NwU9VAUcjVSYfN2o8+Jl
iOVlmkqOcbr8J8lvJ/M+IIs5SyUqyb8f5ANoZpxZYvvtBuLIOwVnoDDKEZ7pr4Mq
tL12WtlPjEQBTO+l7r6Ts5IdSi5y5nbHTetLZsbEkM3bKEMyTuFxwXKbqtlsw/Dh
YhbJHCYUlMtOv1W+72xfMZ9e0ZYQnrKB0MzNKx1hZHIBD1JkHt+9ZV2faqbC6rM3
LPPm4Z7GGMP93cOJIF6djewfwR8UBKgUdQI/m1fY+w1iOp0cImdAcAX+OSkZp+js
XwSqZwZqZfDWrZ7Aud+GOYY4A3qDEWoIrJvThS9R5RJe41uQEmPmAmDPniAEtK+T
jeK2LwItCpX/Z6lnTh2O2iNnt0dPGhEN+uI7gRr/8TnJv5SfA/KMYGrSIR+Pm5eL
xaYlqDdQBXwWVhX0kvZG/27NooMtKYaQDfo4THgpNxBa/7UakSedhEgGYXmUVxol
DXBuHNDnWwNJbDa6TnhjZt0pvln2riqZenUELeYf4B8Pej6t//hpYAmJN370+rDv
PG/MBVKohpuelWhIADM+9kcbaG57JBblNKLA+1p6Kce2LxSeFG2GrGhtsG+My4z+
UniLGSt5cSJWNbVsKG82SiItLIc0bICzDQBKjT5AEKGHuU0abPGM0H4kqDpEmMhO
YH0XqejTPhE=
</base64>
  </rpmTag>
  <rpmTag name="Sigmd5">
        <base64>9ME2Gt4MJebKHJJXo1y8og==
</base64>
  </rpmTag>
  <rpmTag name="Rsaheader">
        <base64>iQIVAwUAYSZTfQW1VbOEg8ZdAQje8w/+IBMLcMj9GFdY8u1g1z7RpQW+8yXe9KZu
ajctp+F5fvZOwtM+fYZRRTA+nAh73kBEmL/1bB8AOMalE/LgDKgQsZ5kWzQ4e4kX
kjeFSjS+1gXE74IexRk5JfrfDJrO8KNseqE1sL+dog7Az4T3eFYl6QMKdyDr35hS
q7ANXOzMBk0g6jemGuOoznE1a4J+JYG/ScQ1bcUyPb2+5I9g6r6T2Rrm6B2x7Dcj
kSDWHss76wOgGK5OFoNvgZEcKOc1E9zWBQ+EnxFZXb3JT4GBUrczNJ1Dz4zZGa9M
9KFzGPFck1BRADPIM2dSMOPOi85iEJJ7yakVN9o2OHqI3b3CvREzjscGfwoJA9dQ
nXb7g+Fpwoga3EU5b/Wksy0LOMq0M5XyAWLqIvhkRB/VzUF2aUWBmQZl/Mzjmrqs
SceBTVd8GHkuRxWprrAj1tqI+bBQsaRZAgWpyb6tmKomKNA3wYZi/8SB8c90z/25
KuzcqUvBqgxgWyVgAjUjeY9sLu56BcaYGKcadtBBVa7Xd4uSVQs84jAIVBjsgLz6
G+YpzCi9ZeYeK8VL+LsnUiVmUV1V4t32SUKDeRJcwgt7kPKpr6KyHkuIwkddRBn0
JEvlipMryeevhQMaO97sVg82nyV+Cb74a35KgWfdZa+1jxggFRBnrVIpj3M15kA5
EjIui0aVFJM=
</base64>
  </rpmTag>
  <rpmTag name="Sha1header">
        <string>07d15ab9031b38bf2b39387be69e79ce4ebb1879</string>
  </rpmTag>
  <rpmTag name="Sha256header">
        <string>c2c6ca3eab0fdc6ba756a01c7447afd6aaffff8061a4cf87c393228d0aff8c7a</string>
  </rpmTag>
  <rpmTag name="Name">
        <string>lsscsi</string>
  </rpmTag>
[root@localhost rpm]# rpm -q --xml ./bash-doc-5.1.4-1.uelc20.x86_64.rpm | more
<rpmHeader>
  <rpmTag name="Headeri18ntable">
        <string>C</string>
  </rpmTag>
  <rpmTag name="Sigsize">
        <integer>1661212</integer>
  </rpmTag>
  <rpmTag name="Sigmd5">
        <base64>yni5u1kyzSrSbtI0uh9N8g==
</base64>
  </rpmTag>
  <rpmTag name="Sha1header">
        <string>df58437625f218025d237df8eaddd34e115e1505</string>
  </rpmTag>
  <rpmTag name="Sha256header">
        <string>ae1c7972f4e6232b96b888602981c091512e28150c1cc62cf0e6ccad8ae2e828</string>
  </rpmTag>
  <rpmTag name="Name">
        <string>bash-doc</string>
  </rpmTag>

可以看到lsscsi包含了Sigpgp,Rsaheader Sigmd5,Sha1header,Sha256header,但bash-doc这个包就没有Sigpgp,Rsaheader。

直接用命令来看头部摘要信息和签名信息

rpm --checksig -v package.rpm

[root@localhost rpm]#  rpm --checksig -v ./lsscsi-0.32-3.el8.x86_64.rpm 
./lsscsi-0.32-3.el8.x86_64.rpm:
    头V3 RSA/SHA256 Signature, 密钥 ID 8483c65d: NOKEY
    头SHA256 digest: OK
    头SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, 密钥 ID 8483c65d: NOKEY
    MD5 digest: OK
[root@localhost rpm]#  rpm --checksig -v ./bash-doc-5.1.4-1.uelc20.x86_64.rpm 
./bash-doc-5.1.4-1.uelc20.x86_64.rpm:
    头SHA256 digest: OK
    头SHA1 digest: OK
    Payload SHA256 digest: OK
    MD5 digest: OK

同样也看出lsscsi有RSA/SHA256 Signature 签名信息,bash-doc是只有摘要没有前面信息的。

这个时候去查询或者安装rpm,有签名信息的rpm就会报个警告

[root@localhost rpm]# rpm -qpi ./lsscsi-0.32-3.el8.x86_64.rpm 
警告:./lsscsi-0.32-3.el8.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID 8483c65d: NOKEY
Name        : lsscsi
Version     : 0.32
Release     : 3.el8
Architecture: x86_64
Install Date: (not installed)
Group       : Applications/System
Size        : 128120
License     : GPLv2+
Signature   : RSA/SHA256, 2021年08月25日 星期三 15时28分13秒, Key ID 05b555b38483c65d

没签名信息的rpm包就没有警告信息

[root@localhost rpm]# rpm -qpi ./bash-doc-5.1.4-1.uelc20.x86_64.rpm 
Name        : bash-doc
Version     : 5.1.4
Release     : 1.uelc20
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified

这时候我们去公网的gpg key 服务器去下这个公钥下来试试看

[root@localhost rpm]# gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 05b555b38483c65d
gpg: 目录‘/root/.gnupg’已创建
gpg: 钥匙箱‘/root/.gnupg/pubring.kbx’已创建
gpg: /root/.gnupg/trustdb.gpg:建立了信任度数据库
gpg: 密钥 05B555B38483C65D:公钥 “CentOS (CentOS Official Signing Key) <security@centos.org>” 已导入
gpg: 处理的总数:1
gpg:               已导入:1
[root@localhost rpm]# gpg
gpg                gpg-agent          gpg-connect-agent  gpgparsemail       gpgsplit           gpgv2              gpg-zip            
gpg2               gpgconf            gpg-error          gpgsm              gpgv               gpg-wks-server     
[root@localhost rpm]# gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub   rsa4096 2019-05-03 [SC]
      99DB70FAE1D7CE227FB6488205B555B38483C65D
uid           [ 未知 ] CentOS (CentOS Official Signing Key) <security@centos.org>

下载下来后导出公钥到rpmdb里面,导入之前可以查看是没有key的,导入后可以查看到

[root@localhost rpm]# gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub   rsa4096 2019-05-03 [SC]
      99DB70FAE1D7CE227FB6488205B555B38483C65D
uid           [ 未知 ] CentOS (CentOS Official Signing Key) <security@centos.org>

[root@localhost rpm]# gpg -a --export --armor -o centos.key
[root@localhost rpm]# file centos.key 
centos.key: PGP public key block Public-Key (old)
[root@localhost rpm]# rpm -qa gpg-pubkey*
[root@localhost rpm]# rpm --import ./centos.key 
[root@localhost rpm]# rpm -qa gpg-pubkey*
gpg-pubkey-8483c65d-5ccc5b19
[root@localhost rpm]# rpm -qi gpg-pubkey-8483c65d-5ccc5b19
Name        : gpg-pubkey
Version     : 8483c65d
Release     : 5ccc5b19
Architecture: (none)
Install Date: 2021年10月22日 星期五 10时53分31秒
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : 2019年05月03日 星期五 16时15分37秒
Build Host  : localhost
Relocations : (not relocatable)
Packager    : CentOS (CentOS Official Signing Key) <security@centos.org>
Summary     : gpg(CentOS (CentOS Official Signing Key) <security@centos.org>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.14.2 (NSS-3)

mQINBFzMWxkBEADHrskpBgN9OphmhRkc7P/YrsAGSvvl7kfu+e9KAaU6f5MeAVyn
rIoM43syyGkgFyWgjZM8/rur7EMPY2yt+2q/1ZfLVCRn9856JqTIq0XRpDUe4nKQ
8BlA7wDVZoSDxUZkSuTIyExbDf0cpw89Tcf62Mxmi8jh74vRlPy1PgjWL5494b3X
5fxDidH4bqPZyxTBqPrUFuo+EfUVEqiGF94Ppq6ZUvrBGOVo1V1+Ifm9CGEK597c
aevcGc1RFlgxIgN84UpuDjPR9/zSndwJ7XsXYvZ6HXcKGagRKsfYDWGPkA5cOL/e
f+yObOnC43yPUvpggQ4KaNJ6+SMTZOKikM8yciyBwLqwrjo8FlJgkv8Vfag/2UR7
JINbyqHHoLUhQ2m6HXSwK4YjtwidF9EUkaBZWrrskYR3IRZLXlWqeOi/+ezYOW0m
vufrkcvsh+TKlVVnuwmEPjJ8mwUSpsLdfPJo1DHsd8FS03SCKPaXFdD7ePfEjiYk
nHpQaKE01aWVSLUiygn7F7rYemGqV9Vt7tBw5pz0vqSC72a5E3zFzIIuHx6aANry
Gat3aqU3qtBXOrA/dPkX9cWE+UR5wo/A2UdKJZLlGhM2WRJ3ltmGT48V9CeS6N9Y
m4CKdzvg7EWjlTlFrd/8WJ2KoqOE9leDPeXRPncubJfJ6LLIHyG09h9kKQARAQAB
tDpDZW50T1MgKENlbnRPUyBPZmZpY2lhbCBTaWduaW5nIEtleSkgPHNlY3VyaXR5
QGNlbnRvcy5vcmc+iQI3BBMBAgAhBQJczFsZAhsDBgsJCAcDAgYVCAIJCgsDFgIB
Ah4BAheAAAoJEAW1VbOEg8ZdjOsP/2ygSxH9jqffOU9SKyJDlraL2gIutqZ3B8pl
Gy/Qnb9QD1EJVb4ZxOEhcY2W9VJfIpnf3yBuAto7zvKe/G1nxH4Bt6WTJQCkUjcs
N3qPWsx1VslsAEz7bXGiHym6Ay4xF28bQ9XYIokIQXd0T2rD3/lNGxNtORZ2bKjD
vOzYzvh2idUIY1DgGWJ11gtHFIA9CvHcW+SMPEhkcKZJAO51ayFBqTSSpiorVwTq
a0cB+cgmCQOI4/MY+kIvzoexfG7xhkUqe0wxmph9RQQxlTbNQDCdaxSgwbF2T+gw
byaDvkS4xtR6Soj7BKjKAmcnf5fn4C5Or0KLUqMzBtDMbfQQihn62iZJN6ZZ/4dg
q4HTqyVpyuzMXsFpJ9L/FqH2DJ4exGGpBv00ba/Zauy7GsqOc5PnNBsYaHCply0X
407DRx51t9YwYI/ttValuehq9+gRJpOTTKp6AjZn/a5Yt3h6jDgpNfM/EyLFIY9z
V6CXqQQ/8JRvaik/JsGCf+eeLZOw4koIjZGEAg04iuyNTjhx0e/QHEVcYAqNLhXG
rCTTbCn3NSUO9qxEXC+K/1m1kaXoCGA0UWlVGZ1JSifbbMx0yxq/brpEZPUYm+32
o8XfbocBWljFUJ+6aljTvZ3LQLKTSPW7TFO+GXycAOmCGhlXh2tlc6iTc41PACqy
yy+mHmSv
=kkH7
-----END PGP PUBLIC KEY BLOCK-----

然后咱们再继续去查询或者安装rpm就不会报警告了

[root@localhost rpm]# rpm -qpi ./lsscsi-0.32-3.el8.x86_64.rpm 
Name        : lsscsi
Version     : 0.32
Release     : 3.el8
Architecture: x86_64
Install Date: (not installed)
Group       : Applications/System
Size        : 128120
License     : GPLv2+
Signature   : RSA/SHA256, 2021年08月25日 星期三 15时28分13秒, Key ID 05b555b38483c65d
Source RPM  : lsscsi-0.32-3.el8.src.rpm
Build Date  : 2021年08月25日 星期三 00时20分06秒
Build Host  : x86-02.mbox.centos.org
Relocations : (not relocatable)
Packager    : CentOS Buildsys <bugs@centos.org>
Vendor      : CentOS
URL         : http://sg.danny.cz/scsi/lsscsi.html
Summary     : List SCSI devices (or hosts) and associated information
Description :
Uses information provided by the sysfs pseudo file system in Linux kernel
2.6 series to list SCSI devices or all SCSI hosts. Includes a "classic"
option to mimic the output of "cat /proc/scsi/scsi" that has been widely
used prior to the lk 2.6 series.

Author:
--------
    Doug Gilbert <dgilbert(at)interlog(dot)com>
[root@localhost rpm]# rpm --checksig -v ./lsscsi-0.32-3.el8.x86_64.rpm 
./lsscsi-0.32-3.el8.x86_64.rpm:
    头V3 RSA/SHA256 Signature, 密钥 ID 8483c65d: OK
    头SHA256 digest: OK
    头SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, 密钥 ID 8483c65d: OK
    MD5 digest: OK

当然,除了导入官方的gpg 公钥到rpmdb里面,还可以自己生成gpg密钥对,用来给无签名的rpm包或者有签名的rpm包进行重新签名。

首先 dnf install rpm-sign 添加软件包

然后gpg --gen-key 根据向导产生密钥对。

然后再添加密钥信息到rpm的宏配置文件

[root@localhost rpm]# cat /etc/rpm/macros.dist 
# dist macros.

%rhel 8
%dist .uelc20
%el8 1
%uos 20
%vendor UniontechOSTech
%packager UniontechOS Linux
%_gpg_name actionchen <xxx@xxx.com>

最后一行就是我们自己生成的密钥信息。

[root@localhost rpm]# rpm -qpi bash-doc-5.1.4-1.uelc20.x86_64.rpm 
Name        : bash-doc
Version     : 5.1.4
Release     : 1.uelc20
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 5402042
License     : GPLv3+
Signature   : (none)
Source RPM  : bash-5.1.4-1.uelc20.src.rpm
Build Date  : 2021年04月13日 星期二 08时08分12秒
Build Host  : ChengJieOS-kojibuilder-x86-64-04
Relocations : (not relocatable)
Packager    : ChengJie Linux
Vendor      : ChengJieTech
URL         : https://www.gnu.org/software/bash
Summary     : Documentation files for bash
Description :
This package contains documentation files for bash.
[root@localhost rpm]# rpmsign --addsign ./bash-doc-5.1.4-1.uelc20.x86_64.rpm 
./bash-doc-5.1.4-1.uelc20.x86_64.rpm:
[root@localhost rpm]# rpm -qpi bash-doc-5.1.4-1.uelc20.x86_64.rpm 
警告:bash-doc-5.1.4-1.uelc20.x86_64.rpm: 头V4 RSA/SHA256 Signature, 密钥 ID 8179890f: NOKEY
Name        : bash-doc
Version     : 5.1.4
Release     : 1.uelc20
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 5402042
License     : GPLv3+
Signature   : RSA/SHA256, 2021年10月22日 星期五 11时09分03秒, Key ID dafe3c258179890f
Source RPM  : bash-5.1.4-1.uelc20.src.rpm
Build Date  : 2021年04月13日 星期二 08时08分12秒
Build Host  : ChengJieOS-kojibuilder-x86-64-04
Relocations : (not relocatable)
Packager    : ChengJie Linux
Vendor      : ChengJieTech
URL         : https://www.gnu.org/software/bash
Summary     : Documentation files for bash
Description :
This package contains documentation files for bash.

可以看到,添加后的软件包,就有签名信息了,不过还是报NOKEY

[root@localhost rpm]# rpm --checksig -v ./bash-doc-5.1.4-1.uelc20.x86_64.rpm 
./bash-doc-5.1.4-1.uelc20.x86_64.rpm:
    头V4 RSA/SHA256 Signature, 密钥 ID 8179890f: NOKEY
    头SHA256 digest: OK
    头SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA256 Signature, 密钥 ID 8179890f: NOKEY
    MD5 digest: OK

同理,我们可以按照前面的方法,导入gpg公钥到rpmdb,然后再去处理就不会报nokey问题了。

方便获取更多学习、工作、生活信息请关注本站微信公众号城东书院 微信服务号城东书院 微信订阅号
推荐内容
相关内容
栏目更新
栏目热门