RPM 的加密签名可以使用该rpm -K
命令进行验证。如果签名在 RPM 的数据库中并且有效,则返回一个包含gpg
(或pgp
) 并以 结尾的字符串。OK
如果包未签名但校验和有效,您仍然会得到OK
,但不会得到gpg
。
如果包已签名,但 RPM 数据库中缺少密钥,您将得到(GPG)
(大写字母)和NOT OKAY
,后跟(MISSING KEYS: GPG#deadbeef)
。
如果我想弄清楚应该找到什么密钥来安装以使我的软件包安装工作,这很方便。
但如果我想验证怎么办哪个我的 RPM 密钥环中的几个密钥用于签署给定的包?
答案1
通过 列出了一个签名字段rpm -qpi package.rpm
,例如:
[vagrant@vm-one ~]$ rpm -qpi puppet-3.7.4-1.el6.noarch.rpm
Name : puppet
Version : 3.7.4
Release : 1.el6
Architecture: noarch
Install Date: (not installed)
Group : System Environment/Base
Size : 6532300
License : ASL 2.0
Signature : RSA/SHA512, Tue 27 Jan 2015 11:17:18 PM UTC, Key ID 1054b7a24bd6ec30
Source RPM : puppet-3.7.4-1.el6.src.rpm
Build Date : Mon 26 Jan 2015 11:48:15 PM UTC
Build Host : tahoe.delivery.puppetlabs.net
Relocations : (not relocatable)
Vendor : Puppet Labs
URL : http://puppetlabs.com
Summary : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.
答案2
rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n'
答案3
要找出 RPM DB 中的哪个 GPG 密钥签署了特定的 rpm,请执行以下操作:
列出 RPM DB 中的所有 GPG 密钥:
$ rpm -qa gpg-pubkey*
...
...
gpg-pubkey-b1275ea3-546d1808
...
...
首先确保有问题的转速是使用 RPM DB 中的密钥进行签名:
$ rpm -K hp/mlnx-en-utils-2.2-1.0.7.0.g0055740.rhel6u4.x86_64.rpm
hp/mlnx-en-utils-2.2-1.0.7.0.g0055740.rhel6u4.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
您正在寻找最后的“OK”,而不是“NOT OK(MISSING KEYS)”,这意味着它已被签名,但签名的密钥不在您的 RPM DB 中。
是的,我们正在检查的 rpm 已由 RPM DB 中的密钥签名。
然后获取 rpm 签名所用的密钥 ID:
$ rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' -p hp/mlnx-en-utils-2.2-1.0.7.0.g0055740.rhel6u4.x86_64.rpm
mlnx-en-utils-2.2-1.0.7.0.g0055740.rhel6u4 RSA/SHA1, Tue Apr 14 12:34:51 2015, Key ID fadd8d64b1275ea3 (none)
现在您可以查看是否最后 8 个字符密钥 ID 的(即 fadd8d64b1275ea3 中的 b1275ea3)对应于第一个命令中 gpg-pubkey- 后面的 8 个字符中的任何一个。在这种情况下,确实如此!
然后你就有了相关的密钥,所以:
$ rpm -qi gpg-pubkey-b1275ea3-546d1808
在这个例子中,您可以看到是 HP 的密钥签署了该 rpm。
希望这可以帮助。我花了一段时间才弄清楚。 :-)
答案4
发出less <rpm file>
并检查Signature
条目,例如:
[vagrant@vm-one ~]$ less artifactory-3.5.3.rpm
Name : artifactory
Version : 3.5.3
Release : 30172
Architecture: noarch
Install Date: (not installed)
Group : Development/Tools
Size : 42286184
License : LGPL
Signature : (none)
Source RPM : artifactory-3.5.3-30172.src.rpm
Build Date : Thu 19 Mar 2015 04:47:04 PM UTC
Build Host : artbuild2.jfrog.local
Relocations : (not relocatable)
Vendor : JFrog Ltd.
URL : http://www.jfrog.org
Summary : Binary Repository Manager
Description :
The best binary repository manager around.
-rwxrwxr-x 1 root root 7891 Mar 19 16:47 /etc/init.d/artifactory
drwxr-xr-x 2 artifactartifact 0 Mar 19 16:47 /etc/opt/jfrog/artifactory
-rwxrwx--- 1 artifactartifact 9855 Mar 19 16:47 /etc/opt/jfrog/artifactory/artifactory.config.xml
-rwxrwx--- 1 artifactartifact 11172 Mar 19 16:47 /etc/opt/jfrog/artifactory/artifactory.system.properties
-rwxrwx--- 1 artifactartifact 457 Mar 19 16:47 /etc/opt/jfrog/artifactory/default
-rwxrwx--- 1 artifactartifact 6858 Mar 19 16:47 /etc/opt/jfrog/artifactory/logback.xml
-rwxrwx--- 1 artifactartifact 5470 Mar 19 16:47 /etc/opt/jfrog/artifactory/mimetypes.xml
drwxrwxr-x 2 root root 0 Mar 19 16:47 /opt/jfrog
drwxrwxr-x 2 root root 0 Mar 19 16:47 /opt/jfrog/artifactory/bin
-rwxrwxr-x 1 root root 103424 Mar 19 16:47 /opt/jfrog/artifactory/bin/artifactory-service.exe
-rwxrwxr-x 1 root root 1366 Mar 19 16:47 /opt/jfrog/artifactory/bin/artifactory.bat
-rwxrwxr-x 1 root root 457 Mar 19 16:47 /opt/jfrog/artifactory/bin/artifactory.default
artifactory-3.5.3.rpm