To sign packages, you need to ensure that you have the gpg command installed and configured. To check that this command is installed, use a command like the following:

$ rpm -qf `which gpg`

gnupg-1.0.7-6

This shows that the command is available.

GPG and PGP? Acronyms Explained

The RPM documentation uses GPG and PGP pretty much interchangeably, so much so, in fact, that you may think these are typographical errors. Not so.

PGP stands for Pretty Good Privacy. Invented by Phil Zimmerman, PGP was originally invented to encrypt e-mail to allow for private communication. Based on a public-key cryptography algorithm, PGP also supports encrypted digital signatures. These signatures allow you to verify that a package you have downloaded really comes from the vendor you think it does. You do this by using the vendor’s public key.

GPG stands for GNU Privacy Guard, a free, open-source implementation of PGP from the GNU project. GPG aims to be compatible with the OpenPGP Internet standard as defined in RFC 2440. It started when a number of developers wanted a free implementation. One such free implementation, GPG, allows Linux vendors such as Red Hat to include PGP in their products. So, in a sense, GPG provides PGP.

PGP has a long and somewhat troubled history as an open-source product and as a commercial product. See www.philzimmermann.com for background on PGP and its long history. See www.gnupg.org for more details on GPG.

To configure a signature, you first need to create a new key with the gpg command, using the --gen-key option, as shown following:

$ gpg --gen-key

gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.

This program comes with ABSOLUTELY NO WARRANTY.

This is free software, and you are welcome to redistribute it

under certain conditions. See the file COPYING for details.

gpg: Warning: using insecure memory!

gpg: please see http://www.gnupg.org/faq.html for more information

gpg: keyring `/home2/ericfj/.gnupg/secring.gpg' created

gpg: keyring `/home2/ericfj/.gnupg/pubring.gpg' created

Please select what kind of key you want:

(1) DSA and ElGamal (default)

(2) DSA (sign only)

(4) ElGamal (sign and encrypt)

(5) RSA (sign only)

Your selection? 1

DSA keypair will have 1024 bits.

About to generate a new ELG-E keypair.

minimum keysize is 768 bits

default keysize is 1024 bits

highest suggested keysize is 2048 bits

What keysize do you want? (1024)

Requested keysize is 1024 bits

Please specify how long the key should be valid.

0 = key does not expire

<n> = key expires in n days

<n>w = key expires in n weeks

<n>m = key expires in n months

<n>y = key expires in n years

Key is valid for? (0)

You need a User-ID to identify your key; the software constructs the user id

from Real Name, Comment and Email Address in this form:

"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Eric Foster-Johnson

Email address: please_no_spam@nospam.com

Comment: Example for Red Hat RPM Guide

You selected this USER-ID:

"Eric Foster-Johnson (Example for Red Hat RPM Guide) <erc@no_spam.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

O

You need a Passphrase to protect your secret key.

Enter passphrase:

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++++++..+++++..++++++++++>++++++++++........+++++

gpg: /home2/ericfj/.gnupg/trustdb.gpg: trustdb created

public and secret key created and signed.

key marked as ultimately trusted.

pub 1024D/01681C24 2002-11-05 Eric Foster-Johnson (Example for Red Hat RPM

Guide) <please_no_spam@nospam.com>

Key fingerprint = 8C14 A2E9 47D1 301B 2153 7CDF BEE5 9C10 0268 1D24

sub 1024g/1A15D6C8 2002-11-05

You can choose the default options for most choices. You need to enter a real name, an e-mail address, and a pass phrase. Remember the pass phrase. You will need to enter the pass phrase every time you wish to sign a package.

Once you have a key, the next step is to set up some RPM macros. There are a number of places you can do this, but using the .rpmmacros file in your home directory is one of the easiest. Edit this file as shown in the following example:

%_signature gpg

%_gpg_path /home2/ericfj/.gnupg

%_gpg_name EricFJ (Eric Key) <erc@no_spam.com>

%_gpgbin /usr/bin/gpg

Add lines like these to the $HOME/.rpmmacros file. (Create this file if it does not exist.)

Cross Reference

Chapter 21 covers RPM macros and the $HOME/.rpmmacros file.

Inside the file, change the %gpg_path macro to the .gnupg directory under your home directory (or the root user’s home directory). Change the %_gpg_name macro to the name you have entered into the gpg program.

The --sign option tells the rpmbuild command to sign the created package. You need to have configured the RPM system for your signature as shown in the previous sections.

When you then build an RPM, you will be prompted for your pass phrase prior to the package build. For example, the following shows this prompt (and truncates the rest of the rpmbuild messages that follow):

$ rpmbuild -bb --sign xtoolwait-1.2.spec

Enter pass phrase:

Pass phrase is good.

In addition to the --sign option for the rpmbuild command, you can sign packages that have already been created using the rpm command. The --addsign and --resign options generate new signatures and insert them into the passed-in package file. The basic syntax is:

rpm --addsign package.rpm

rpm --resign package.rpm

The --addsign option adds another signature to the RPM. RPM versions prior to 4.1 allowed you to sign a package with multiple keys, which causes problems for automatic verification. Because of that, use the --resign option, which removes the old signature and inserts a new signature into the package.

You can verify the RPM signature to ensure that the package has not been modified since it has been signed. Verification also checks that the package is signed by the key that matches the claimed vendor.

To verify the signature in an RPM, use the -K option to the rpm command. The basic syntax is:

rpm -K package.rpm

Note

This is the rpm command, not the rpmbuild command.

This command accepts the options shown in Table 12-3 to turn off checking for certain types of signatures.

Table 12-3 Options to turn off signature checking

You can also use the --checksig option, which is the same as -K. When you run this command on a package that has a verifiable key, you will see output like the following:

# rpm -K xtoolwait-1.3-3.src.rpm

xtoolwait-1.3-3.src.rpm: (sha1) dsa sha1 md5 gpg OK

This verifies that the package has not been changed from when it was first signed. It also verifies that the signature matches the public key from the vendor of the package. This goes a long ways toward verifying that the package is indeed legitimate.

To get more information, add a -v (verbose) option. For example:

$ rpm -Kv vixie-cron-3.0.1-69.src.rpm

vixie-cron-3.0.1-69.src.rpm:

Header V3 DSA signature: OK, key ID db42a60e

Header SHA1 digest: OK (ecbb244ab022ecd23114bb1d6c9bdeb74f8d9520)

MD5 digest: OK (fb0a75eca1d526d391c36dc956c23bdd)

V3 DSA signature: OK, key ID db42a60e

If you run this command on a package that does not verify, you’ll see an error like the following:

# rpm --checksig xtoolwait-1.3-3.src.rpm

xtoolwait-1.3-3.src.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#db42a60e)

Items that fail are listed in uppercase, such as DSA, while items that succeed appear in lowercase. In this example, the sha1 and md5 tests succeeded, while the DSA test failed. This failure does not necessarily mean that the package is not legitimate. This failure can mean one of three things:

1.The package was not properly signed in the first place. That is, it is a legitimate package but the package author did not properly sign the RPM.

2.The package has been modified in some way. That is, the package is not legitimate.

3.The RPM system has not been initialized with the public key from the package vendor.

From this error, you don’t yet know whether the package is legitimate or not. The first step, though, is to check that you have imported the proper public key from the package vendor.

The --import option to the rpm command imports the public key from a given vendor. The format for this key follows:

The following public key can be used to verify RPM packages built and

signed by Red Hat, Inc. using `rpm -K' using the GNU GPG package.

Questions about this key should be sent to security@redhat.com.

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v1.0.0 (GNU/Linux)

Comment: For info see http://www.gnupg.org

mQGiBDfqVEqRBADBKr3Bl6PO8BQ0H8sJoD6p9U7Yyl7pjtZqioviPwXP+DCWd4u8

HQzcxAZ57m8ssA1LK1Fx93coJhDzM130+p5BG9mYSPShLabR3N1KXdXAYYcowTOM

GxdwYRGr1Spw8QydLhjVfU1VSl4xt6bupPbFJbyjkg5Z3P7BlUOUJmrx3wCgobNV

EDGaWYJcch5z5B1of/41G8kEAKii6q7Gu/vhXXnLS6m15oNnPVybyngiw/23dKjS

ti/PYrrL2J11P2ed0x7zm8v3gLrY0cue1iSba+8glY+p31ZPOr5ogaJw7ZARgoS8

BwjyRymXQp+8Dete0TELKOL2/itDOPGHW07SsVWOR6cmX4VlRRcWB5KejaNvdrE5

4XFtOd04NMgWI63uqZc4zkRa+kwEZtmbz3tHSdWCCE+Y7YVP6IUf/w6YPQFQriWY

FiA6fD10eB+BlIUqIw80EqjsBKmCwvKkn4jg8kibUgj4/TzQSx77uYokw1EqQ2wk

OZoaEtcubsNMquuLCMWijYhGBBgRAgAGBQI36lRyAAoJECGRgM3bQqYOhyYAnj7h

VDY/FJAGqmtZpwVp9IlitW5tAJ4xQApr/jNFZCTksnI+4O1765F7tA==

=3AHZ

-----END PGP PUBLIC KEY BLOCK-----

Note

For reasons of space, this is not a complete key.

You need to pass the name of the text file that holds the key to the rpm --import command, as shown following:

rpm --import key_file

Note

You must be logged in as the root user to import keys.

For example:

# rpm --checksig xtoolwait-1.3-3.src.rpm

xtoolwait-1.3-3.src.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#db42a60e)

# rpm --import RPM-GPG-KEY

# rpm --checksig xtoolwait-1.3-3.src.rpm

xtoolwait-1.3-3.src.rpm: (sha1) dsa sha1 md5 gpg OK

This example shows an error message when trying to verify the key. Then, after importing the Red Hat public key, the verification works.

If, after importing this key, you still have problems, you can assume there are problems with the package. Many administrators will refuse to install such packages.

Warning

You should be careful with packages that have signatures that do not verify.

To list the available keys, use a command like the following:

$ rpm -qa | grep -i gpg

gpg-pubkey-db42a60e-37ea5438

This example shows one key installed.

Note

You can erase this key as if it were a package, using the rpm -e command.

Strangely enough, the Red Hat public key is not installed when you install Red Hat Linux 8.0. If you need the key, the Red Hat public key is available on the root directory of all Red Hat Linux CD-ROMs, as shown in the following listing:

$ ls /mnt/cdrom/

EULA GPL README RedHat/ RPM-GPG-KEY SRPMS/ TRANS.TBL

Simply copy the RPM-GPG-KEY file to get the public key. Then use the rpm --import command with this key file.

Note

You can also download this key file from the Red Hat FTP site, at ftp://ftp.redhat.com/pub/redhat/linux/8.0/en/os/i386/.