写这个起因是因为日常安装rpm包就rpm -ivh xxx.rpm 搞定,但很多时候或者大部分时候会报一行警告:
- 123
虽然这个警告对安装没任何影响,不过好奇心让我想弄明白这到底是咋回事。
这里下两个rpm包回来,一个是从
http://rpmfind.net/linux/centos/8-stream/BaseOS/x86_64/os/Packages/lsscsi-0.32-3.el8.x86_64.rpm下载
另外一个从UOS的源里面下载。
- [root@localhost rpm]# ls -lh
- 总用量 1.7M
- -rw-r--r-- 1 root root 1.6M 10月 22 10:08 bash-doc-5.1.4-1.uelc20.x86_64.rpm
- -rw-r--r-- 1 root root 72K 8月 25 15:27 lsscsi-0.32-3.el8.x86_64.rpm
-
首先,来洞察一下这两个rpm,看下包头里面都有啥
- [root@localhost rpm]# rpm -qpf --xml ./lsscsi-0.32-3.el8.x86_64.rpm | more
- 警告:./lsscsi-0.32-3.el8.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID 8483c65d: NOKEY
- <rpmHeader>
- <rpmTag name="Headeri18ntable">
- <string>C</string>
- </rpmTag>
- <rpmTag name="Sigsize">
- <integer>67332</integer>
- </rpmTag>
- <rpmTag name="Sigpgp">
- <base64>iQIVAwUAYSZTfAW1VbOEg8ZdAQgi8Q/+O+fhD6nlJjC+NwU9VAUcjVSYfN2o8+Jl
- iOVlmkqOcbr8J8lvJ/M+IIs5SyUqyb8f5ANoZpxZYvvtBuLIOwVnoDDKEZ7pr4Mq
- tL12WtlPjEQBTO+l7r6Ts5IdSi5y5nbHTetLZsbEkM3bKEMyTuFxwXKbqtlsw/Dh
- YhbJHCYUlMtOv1W+72xfMZ9e0ZYQnrKB0MzNKx1hZHIBD1JkHt+9ZV2faqbC6rM3
- LPPm4Z7GGMP93cOJIF6djewfwR8UBKgUdQI/m1fY+w1iOp0cImdAcAX+OSkZp+js
- XwSqZwZqZfDWrZ7Aud+GOYY4A3qDEWoIrJvThS9R5RJe41uQEmPmAmDPniAEtK+T
- jeK2LwItCpX/Z6lnTh2O2iNnt0dPGhEN+uI7gRr/8TnJv5SfA/KMYGrSIR+Pm5eL
- xaYlqDdQBXwWVhX0kvZG/27NooMtKYaQDfo4THgpNxBa/7UakSedhEgGYXmUVxol
- DXBuHNDnWwNJbDa6TnhjZt0pvln2riqZenUELeYf4B8Pej6t//hpYAmJN370+rDv
- PG/MBVKohpuelWhIADM+9kcbaG57JBblNKLA+1p6Kce2LxSeFG2GrGhtsG+My4z+
- UniLGSt5cSJWNbVsKG82SiItLIc0bICzDQBKjT5AEKGHuU0abPGM0H4kqDpEmMhO
- YH0XqejTPhE=
- </base64>
- </rpmTag>
- <rpmTag name="Sigmd5">
- <base64>9ME2Gt4MJebKHJJXo1y8og==
- </base64>
- </rpmTag>
- <rpmTag name="Rsaheader">
- <base64>iQIVAwUAYSZTfQW1VbOEg8ZdAQje8w/+IBMLcMj9GFdY8u1g1z7RpQW+8yXe9KZu
- ajctp+F5fvZOwtM+fYZRRTA+nAh73kBEmL/1bB8AOMalE/LgDKgQsZ5kWzQ4e4kX
- kjeFSjS+1gXE74IexRk5JfrfDJrO8KNseqE1sL+dog7Az4T3eFYl6QMKdyDr35hS
- q7ANXOzMBk0g6jemGuOoznE1a4J+JYG/ScQ1bcUyPb2+5I9g6r6T2Rrm6B2x7Dcj
- kSDWHss76wOgGK5OFoNvgZEcKOc1E9zWBQ+EnxFZXb3JT4GBUrczNJ1Dz4zZGa9M
- 9KFzGPFck1BRADPIM2dSMOPOi85iEJJ7yakVN9o2OHqI3b3CvREzjscGfwoJA9dQ
- nXb7g+Fpwoga3EU5b/Wksy0LOMq0M5XyAWLqIvhkRB/VzUF2aUWBmQZl/Mzjmrqs
- SceBTVd8GHkuRxWprrAj1tqI+bBQsaRZAgWpyb6tmKomKNA3wYZi/8SB8c90z/25
- KuzcqUvBqgxgWyVgAjUjeY9sLu56BcaYGKcadtBBVa7Xd4uSVQs84jAIVBjsgLz6
- G+YpzCi9ZeYeK8VL+LsnUiVmUV1V4t32SUKDeRJcwgt7kPKpr6KyHkuIwkddRBn0
- JEvlipMryeevhQMaO97sVg82nyV+Cb74a35KgWfdZa+1jxggFRBnrVIpj3M15kA5
- EjIui0aVFJM=
- </base64>
- </rpmTag>
- <rpmTag name="Sha1header">
- <string>07d15ab9031b38bf2b39387be69e79ce4ebb1879</string>
- </rpmTag>
- <rpmTag name="Sha256header">
- <string>c2c6ca3eab0fdc6ba756a01c7447afd6aaffff8061a4cf87c393228d0aff8c7a</string>
- </rpmTag>
- <rpmTag name="Name">
- <string>lsscsi</string>
- </rpmTag>
-
- [root@localhost rpm]# rpm -q --xml ./bash-doc-5.1.4-1.uelc20.x86_64.rpm | more
- <rpmHeader>
- <rpmTag name="Headeri18ntable">
- <string>C</string>
- </rpmTag>
- <rpmTag name="Sigsize">
- <integer>1661212</integer>
- </rpmTag>
- <rpmTag name="Sigmd5">
- <base64>yni5u1kyzSrSbtI0uh9N8g==
- </base64>
- </rpmTag>
- <rpmTag name="Sha1header">
- <string>df58437625f218025d237df8eaddd34e115e1505</string>
- </rpmTag>
- <rpmTag name="Sha256header">
- <string>ae1c7972f4e6232b96b888602981c091512e28150c1cc62cf0e6ccad8ae2e828</string>
- </rpmTag>
- <rpmTag name="Name">
- <string>bash-doc</string>
- </rpmTag>
-
可以看到lsscsi包含了Sigpgp,Rsaheader Sigmd5,Sha1header,Sha256header,但bash-doc这个包就没有Sigpgp,Rsaheader。
直接用命令来看头部摘要信息和签名信息
rpm --checksig -v package.rpm
- [root@localhost rpm]# rpm --checksig -v ./lsscsi-0.32-3.el8.x86_64.rpm
- ./lsscsi-0.32-3.el8.x86_64.rpm:
- 头V3 RSA/SHA256 Signature, 密钥 ID 8483c65d: NOKEY
- 头SHA256 digest: OK
- 头SHA1 digest: OK
- Payload SHA256 digest: OK
- V3 RSA/SHA256 Signature, 密钥 ID 8483c65d: NOKEY
- MD5 digest: OK
- [root@localhost rpm]# rpm --checksig -v ./bash-doc-5.1.4-1.uelc20.x86_64.rpm
- ./bash-doc-5.1.4-1.uelc20.x86_64.rpm:
- 头SHA256 digest: OK
- 头SHA1 digest: OK
- Payload SHA256 digest: OK
- MD5 digest: OK
-
同样也看出lsscsi有RSA/SHA256 Signature 签名信息,bash-doc是只有摘要没有前面信息的。
这个时候去查询或者安装rpm,有签名信息的rpm就会报个警告
- [root@localhost rpm]# rpm -qpi ./lsscsi-0.32-3.el8.x86_64.rpm
- 警告:./lsscsi-0.32-3.el8.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID 8483c65d: NOKEY
- Name : lsscsi
- Version : 0.32
- Release : 3.el8
- Architecture: x86_64
- Install Date: (not installed)
- Group : Applications/System
- Size : 128120
- License : GPLv2+
- Signature : RSA/SHA256, 2021年08月25日 星期三 15时28分13秒, Key ID 05b555b38483c65d
没签名信息的rpm包就没有警告信息
- [root@localhost rpm]# rpm -qpi ./bash-doc-5.1.4-1.uelc20.x86_64.rpm
- Name : bash-doc
- Version : 5.1.4
- Release : 1.uelc20
- Architecture: x86_64
- Install Date: (not installed)
- Group : Unspecified
-
这时候我们去公网的gpg key 服务器去下这个公钥下来试试看
- [root@localhost rpm]# gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 05b555b38483c65d
- gpg: 目录‘/root/.gnupg’已创建
- gpg: 钥匙箱‘/root/.gnupg/pubring.kbx’已创建
- gpg: /root/.gnupg/trustdb.gpg:建立了信任度数据库
- gpg: 密钥 05B555B38483C65D:公钥 “CentOS (CentOS Official Signing Key) <security@centos.org>” 已导入
- gpg: 处理的总数:1
- gpg: 已导入:1
- [root@localhost rpm]# gpg
- gpg gpg-agent gpg-connect-agent gpgparsemail gpgsplit gpgv2 gpg-zip
- gpg2 gpgconf gpg-error gpgsm gpgv gpg-wks-server
- [root@localhost rpm]# gpg --list-keys
- /root/.gnupg/pubring.kbx
- ------------------------
- pub rsa4096 2019-05-03 [SC]
- 99DB70FAE1D7CE227FB6488205B555B38483C65D
- uid [ 未知 ] CentOS (CentOS Official Signing Key) <security@centos.org>
-
-
下载下来后导出公钥到rpmdb里面,导入之前可以查看是没有key的,导入后可以查看到
- [root@localhost rpm]# gpg --list-keys
- /root/.gnupg/pubring.kbx
- ------------------------
- pub rsa4096 2019-05-03 [SC]
- 99DB70FAE1D7CE227FB6488205B555B38483C65D
- uid [ 未知 ] CentOS (CentOS Official Signing Key) <security@centos.org>
-
- [root@localhost rpm]# gpg -a --export --armor -o centos.key
- [root@localhost rpm]# file centos.key
- centos.key: PGP public key block Public-Key (old)
- [root@localhost rpm]# rpm -qa gpg-pubkey*
- [root@localhost rpm]# rpm --import ./centos.key
- [root@localhost rpm]# rpm -qa gpg-pubkey*
- gpg-pubkey-8483c65d-5ccc5b19
- [root@localhost rpm]# rpm -qi gpg-pubkey-8483c65d-5ccc5b19
- Name : gpg-pubkey
- Version : 8483c65d
- Release : 5ccc5b19
- Architecture: (none)
- Install Date: 2021年10月22日 星期五 10时53分31秒
- Group : Public Keys
- Size : 0
- License : pubkey
- Signature : (none)
- Source RPM : (none)
- Build Date : 2019年05月03日 星期五 16时15分37秒
- Build Host : localhost
- Relocations : (not relocatable)
- Packager : CentOS (CentOS Official Signing Key) <security@centos.org>
- Summary : gpg(CentOS (CentOS Official Signing Key) <security@centos.org>)
- Description :
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- Version: rpm-4.14.2 (NSS-3)
-
- mQINBFzMWxkBEADHrskpBgN9OphmhRkc7P/YrsAGSvvl7kfu+e9KAaU6f5MeAVyn
- rIoM43syyGkgFyWgjZM8/rur7EMPY2yt+2q/1ZfLVCRn9856JqTIq0XRpDUe4nKQ
- 8BlA7wDVZoSDxUZkSuTIyExbDf0cpw89Tcf62Mxmi8jh74vRlPy1PgjWL5494b3X
- 5fxDidH4bqPZyxTBqPrUFuo+EfUVEqiGF94Ppq6ZUvrBGOVo1V1+Ifm9CGEK597c
- aevcGc1RFlgxIgN84UpuDjPR9/zSndwJ7XsXYvZ6HXcKGagRKsfYDWGPkA5cOL/e
- f+yObOnC43yPUvpggQ4KaNJ6+SMTZOKikM8yciyBwLqwrjo8FlJgkv8Vfag/2UR7
- JINbyqHHoLUhQ2m6HXSwK4YjtwidF9EUkaBZWrrskYR3IRZLXlWqeOi/+ezYOW0m
- vufrkcvsh+TKlVVnuwmEPjJ8mwUSpsLdfPJo1DHsd8FS03SCKPaXFdD7ePfEjiYk
- nHpQaKE01aWVSLUiygn7F7rYemGqV9Vt7tBw5pz0vqSC72a5E3zFzIIuHx6aANry
- Gat3aqU3qtBXOrA/dPkX9cWE+UR5wo/A2UdKJZLlGhM2WRJ3ltmGT48V9CeS6N9Y
- m4CKdzvg7EWjlTlFrd/8WJ2KoqOE9leDPeXRPncubJfJ6LLIHyG09h9kKQARAQAB
- tDpDZW50T1MgKENlbnRPUyBPZmZpY2lhbCBTaWduaW5nIEtleSkgPHNlY3VyaXR5
- QGNlbnRvcy5vcmc+iQI3BBMBAgAhBQJczFsZAhsDBgsJCAcDAgYVCAIJCgsDFgIB
- Ah4BAheAAAoJEAW1VbOEg8ZdjOsP/2ygSxH9jqffOU9SKyJDlraL2gIutqZ3B8pl
- Gy/Qnb9QD1EJVb4ZxOEhcY2W9VJfIpnf3yBuAto7zvKe/G1nxH4Bt6WTJQCkUjcs
- N3qPWsx1VslsAEz7bXGiHym6Ay4xF28bQ9XYIokIQXd0T2rD3/lNGxNtORZ2bKjD
- vOzYzvh2idUIY1DgGWJ11gtHFIA9CvHcW+SMPEhkcKZJAO51ayFBqTSSpiorVwTq
- a0cB+cgmCQOI4/MY+kIvzoexfG7xhkUqe0wxmph9RQQxlTbNQDCdaxSgwbF2T+gw
- byaDvkS4xtR6Soj7BKjKAmcnf5fn4C5Or0KLUqMzBtDMbfQQihn62iZJN6ZZ/4dg
- q4HTqyVpyuzMXsFpJ9L/FqH2DJ4exGGpBv00ba/Zauy7GsqOc5PnNBsYaHCply0X
- 407DRx51t9YwYI/ttValuehq9+gRJpOTTKp6AjZn/a5Yt3h6jDgpNfM/EyLFIY9z
- V6CXqQQ/8JRvaik/JsGCf+eeLZOw4koIjZGEAg04iuyNTjhx0e/QHEVcYAqNLhXG
- rCTTbCn3NSUO9qxEXC+K/1m1kaXoCGA0UWlVGZ1JSifbbMx0yxq/brpEZPUYm+32
- o8XfbocBWljFUJ+6aljTvZ3LQLKTSPW7TFO+GXycAOmCGhlXh2tlc6iTc41PACqy
- yy+mHmSv
- =kkH7
- -----END PGP PUBLIC KEY BLOCK-----
-
然后咱们再继续去查询或者安装rpm就不会报警告了
- [root@localhost rpm]# rpm -qpi ./lsscsi-0.32-3.el8.x86_64.rpm
- Name : lsscsi
- Version : 0.32
- Release : 3.el8
- Architecture: x86_64
- Install Date: (not installed)
- Group : Applications/System
- Size : 128120
- License : GPLv2+
- Signature : RSA/SHA256, 2021年08月25日 星期三 15时28分13秒, Key ID 05b555b38483c65d
- Source RPM : lsscsi-0.32-3.el8.src.rpm
- Build Date : 2021年08月25日 星期三 00时20分06秒
- Build Host : x86-02.mbox.centos.org
- Relocations : (not relocatable)
- Packager : CentOS Buildsys <bugs@centos.org>
- Vendor : CentOS
- URL : http://sg.danny.cz/scsi/lsscsi.html
- Summary : List SCSI devices (or hosts) and associated information
- Description :
- Uses information provided by the sysfs pseudo file system in Linux kernel
- 2.6 series to list SCSI devices or all SCSI hosts. Includes a "classic"
- option to mimic the output of "cat /proc/scsi/scsi" that has been widely
- used prior to the lk 2.6 series.
-
- Author:
- --------
- Doug Gilbert <dgilbert(at)interlog(dot)com>
- [root@localhost rpm]# rpm --checksig -v ./lsscsi-0.32-3.el8.x86_64.rpm
- ./lsscsi-0.32-3.el8.x86_64.rpm:
- 头V3 RSA/SHA256 Signature, 密钥 ID 8483c65d: OK
- 头SHA256 digest: OK
- 头SHA1 digest: OK
- Payload SHA256 digest: OK
- V3 RSA/SHA256 Signature, 密钥 ID 8483c65d: OK
- MD5 digest: OK
-
当然,除了导入官方的gpg 公钥到rpmdb里面,还可以自己生成gpg密钥对,用来给无签名的rpm包或者有签名的rpm包进行重新签名。
首先 dnf install rpm-sign 添加软件包
然后gpg --gen-key 根据向导产生密钥对。
然后再添加密钥信息到rpm的宏配置文件
- [root@localhost rpm]# cat /etc/rpm/macros.dist
- # dist macros.
-
- %rhel 8
- %dist .uelc20
- %el8 1
- %uos 20
- %vendor UniontechOSTech
- %packager UniontechOS Linux
- %_gpg_name actionchen <xxx@xxx.com>
-
最后一行就是我们自己生成的密钥信息。
- [root@localhost rpm]# rpm -qpi bash-doc-5.1.4-1.uelc20.x86_64.rpm
- Name : bash-doc
- Version : 5.1.4
- Release : 1.uelc20
- Architecture: x86_64
- Install Date: (not installed)
- Group : Unspecified
- Size : 5402042
- License : GPLv3+
- Signature : (none)
- Source RPM : bash-5.1.4-1.uelc20.src.rpm
- Build Date : 2021年04月13日 星期二 08时08分12秒
- Build Host : ChengJieOS-kojibuilder-x86-64-04
- Relocations : (not relocatable)
- Packager : ChengJie Linux
- Vendor : ChengJieTech
- URL : https://www.gnu.org/software/bash
- Summary : Documentation files for bash
- Description :
- This package contains documentation files for bash.
- [root@localhost rpm]# rpmsign --addsign ./bash-doc-5.1.4-1.uelc20.x86_64.rpm
- ./bash-doc-5.1.4-1.uelc20.x86_64.rpm:
- [root@localhost rpm]# rpm -qpi bash-doc-5.1.4-1.uelc20.x86_64.rpm
- 警告:bash-doc-5.1.4-1.uelc20.x86_64.rpm: 头V4 RSA/SHA256 Signature, 密钥 ID 8179890f: NOKEY
- Name : bash-doc
- Version : 5.1.4
- Release : 1.uelc20
- Architecture: x86_64
- Install Date: (not installed)
- Group : Unspecified
- Size : 5402042
- License : GPLv3+
- Signature : RSA/SHA256, 2021年10月22日 星期五 11时09分03秒, Key ID dafe3c258179890f
- Source RPM : bash-5.1.4-1.uelc20.src.rpm
- Build Date : 2021年04月13日 星期二 08时08分12秒
- Build Host : ChengJieOS-kojibuilder-x86-64-04
- Relocations : (not relocatable)
- Packager : ChengJie Linux
- Vendor : ChengJieTech
- URL : https://www.gnu.org/software/bash
- Summary : Documentation files for bash
- Description :
- This package contains documentation files for bash.
-
可以看到,添加后的软件包,就有签名信息了,不过还是报NOKEY
- [root@localhost rpm]# rpm --checksig -v ./bash-doc-5.1.4-1.uelc20.x86_64.rpm
- ./bash-doc-5.1.4-1.uelc20.x86_64.rpm:
- 头V4 RSA/SHA256 Signature, 密钥 ID 8179890f: NOKEY
- 头SHA256 digest: OK
- 头SHA1 digest: OK
- Payload SHA256 digest: OK
- V4 RSA/SHA256 Signature, 密钥 ID 8179890f: NOKEY
- MD5 digest: OK
-
同理,我们可以按照前面的方法,导入gpg公钥到rpmdb,然后再去处理就不会报nokey问题了。
湘公网安备 43102202000103号
