내 바이너리용으로 서명된 RPM 패키지를 만들려면 어떻게 해야 합니까?
GPG를 사용하여 RHEL 4에서 바이너리를 서명된 RPM 패키지로 배포해야 합니다.
YUM을 사용하여 바이너리를 배포하는 데 사용됩니다(http://yum.baseurl.org).
답변1
나는 과거에 RPM에 서명하기 위해 이 단계를 사용했습니다. 이는 다음과 같은 제목의 튜토리얼에서 거의 파생되었습니다.자신의 키로 RPM에 서명하세요..
키 생성
$ gpg --gen-key
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) "
Real name: Repository Owner
Email address: [email protected]
Comment:
You selected this USER-ID:
"Repository Owner "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.+++++++++++++++++++++++++..+++++...+++++++++++++++....++++++++++++++++++++....++++++++++++++++++++++++++++++..+++++..+++++++++++++++.++++++++++.+++++.........+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++++++++++++++++++++++++++++++++....+++++...+++++.+++++++++++++++..++++++++++++++++++++++++++++++.+++++++++++++++....+++++..+++++...+++++++++++++++..+++++>++++++++++>+++++>+++++.............<+++++....>.+++++..............+++++^^^
gpg: key 79E7E0DB marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 2 signed: 13 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1 valid: 13 signed: 2 trust: 13-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2007-12-31
pub 1024D/79E7E0DB 2007-10-08
Key fingerprint = 5ACE 5EBF ED46 BAF7 93BD 8F02 E0BB DB6B 79E7 E0DB
uid Repository Owner
sub 2048g/04F5FDBA 2007-10-08
빌드 환경을 구성합니다. 키를 사용하다
파일 에 다음을 추가합니다 $HOME/.rpmmacros.
%_signature gpg
%_gpg_name Repository Owner
노트:%_gpg_name 태그는 키 생성의 출력과 일치해야 하며, 이는 기본적으로 서명에 사용할 키를 rpm에 알려줍니다.
RPM 서명
$ rpm --resign sabayon-2.12.1-1.src.rpm
Enter pass phrase:
Pass phrase is good.
sabayon-2.12.1-1.src.rpm:
이제 RPM이 서명되었는지 확인하십시오.
$ rpm -K sabayon-2.12.1-1.src.rpm
sabayon-2.12.1-1.src.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#79e7e0db)
이것은 실제로 가능합니다. 이는 단지 RPM이 서명되었음을 알려 주지만 RPM 설치에는 이 서명과 연관된 해당 키가 없습니다.
키 저장
다음 명령을 사용하여 위에서 생성한 키를 추출할 수 있습니다.
$ gpg --export -a "Repository Owner " >RPM-GPG-KEY-example.com
다음을 사용하여 가져올 수 있습니다.
$ rpm --import RPM-GPG-KEY-example.com
그리고 로드되었는지 확인합니다.
$ rpm -q gpg-pubkey-*
gpg-pubkey-f51839ac-46362566
gpg-pubkey-b2980b13-3c1d0597
gpg-pubkey-44cb93fd-4a68c9c4