如何手动验证 rpm 文件的签名

如何手动验证 rpm 文件的签名

我需要的

一种从 rpm 文件获取包含签名的 asc 文件的方法。

为什么我需要它

我遇到了此 Reddit 帖子,Chrome 的安装地址https://www.google.com/linuxrepositories/无法验证其签名,因为 CentOS 7 中的 rpm 版本不支持针对子密钥进行验证。其中一位评论者建议https://bugzilla.redhat.com/show_bug.cgi?id=227632可能是一个相关问题。

我的一个解决方法是手动gpg验证 rpm 文件中的签名。但我需要一种方法来从 rpm 文件中提取签名。

我尝试过

rpm -qp --qf '%|SIGTAG_GPG?{%{SIGTAG_GPG:pgpsig}}:{(none)}|}|\n' google-chrome-stable_current_x86_64.rpm获取与文件关联的公钥的 ID,但我相信这只是元数据,而不是实际签名,因此无法验证文件是否确实由它报告的密钥签名(如果这是一种错误的理解,请纠正我)。

复制

FROM centos:7

RUN printf "[google-chrome]\nname=google-chrome\nbaseurl=http://dl.google.com/linux/chrome/rpm/stable/\$basearch\nenabled=1\ngpgcheck=1\ngpgkey=https://dl-ssl.google.com/linux/linux_signing_key.pub\n" >> /etc/yum.repos.d/google-chrome.repo && \
    yum -y install google-chrome-stable && \
    yum clean all
#6 13.87 warning: /var/cache/yum/x86_64/7/base/packages/alsa-lib-1.1.8-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
#6 13.87 Public key for alsa-lib-1.1.8-1.el7.x86_64.rpm is not installed
#6 15.12 Public key for emacs-filesystem-24.3-23.el7_9.1.noarch.rpm is not installed
#6 26.25 warning: /var/cache/yum/x86_64/7/google-chrome/packages/google-chrome-stable-114.0.5735.198-1.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID a3b88b8b: NOKEY
#6 26.25 Public key for google-chrome-stable-114.0.5735.198-1.x86_64.rpm is not installed
#6 29.55 --------------------------------------------------------------------------------
#6 29.55 Total                                              8.1 MB/s | 132 MB  00:16     
#6 29.55 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#6 29.56 Importing GPG key 0xF4A80EB5:
#6 29.56  Userid     : "CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>"
#6 29.56  Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
#6 29.56  Package    : centos-release-7-9.2009.0.el7.centos.x86_64 (@CentOS)
#6 29.56  From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#6 29.59 Retrieving key from https://dl-ssl.google.com/linux/linux_signing_key.pub
#6 30.40 Importing GPG key 0x7FAC5991:
#6 30.40  Userid     : "Google, Inc. Linux Package Signing Key <[email protected]>"
#6 30.40  Fingerprint: 4cca 1eaf 950c ee4a b839 76dc a040 830f 7fac 5991
#6 30.40  From       : https://dl-ssl.google.com/linux/linux_signing_key.pub
#6 30.41 Importing GPG key 0xD38B4796:
#6 30.41  Userid     : "Google Inc. (Linux Packages Signing Authority) <[email protected]>"
#6 30.41  Fingerprint: eb4c 1bfd 4f04 2f6d ddcc ec91 7721 f63b d38b 4796
#6 30.41  From       : https://dl-ssl.google.com/linux/linux_signing_key.pub
#6 30.41 
#6 30.41 
#6 30.41 Public key for google-chrome-stable-114.0.5735.198-1.x86_64.rpm is not installed
#6 30.41 
#6 30.41 
#6 30.41  Failing package is: google-chrome-stable-114.0.5735.198-1.x86_64
#6 30.41  GPG Keys are configured as: https://dl-ssl.google.com/linux/linux_signing_key.pub

答案1

同一个 Reddit 线程中提到的这个脚本似乎从 RPM 文件中提取了签名和有效负载:

https://github.com/rpm-software-management/rpm/blob/master/scripts/tgpg

一定会有更好的办法!

相关内容