1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
/*! \page signatures Signature header
The 2.1 release of RPM had a few improvements in the area of
digital package signatures. The usage of PGP has been cleaned
up and extended, the signature section in the RPM file format
has been made easily extensible with new signature types, and
packages can have multiple signatures.
\section signatures_pgp PGP
Legacy usage of PGP in rpm-2.0 was cumbersome, and only supported
1024 bit keys. Both of these problems have been corrected in rpm-2.1.
Whereas previously you needed many rpmrc entries to clue in
RPM about keyring locations and such, RPM now behaves as PGP
users would expect. The PGPPATH environment variable can be
used to specify keyring locations. You can also use a
"%_pgpbin" line in your macros file to specify a different value
for RPM to use for PGPPATH. If neither of these are used PGP
uses its default ($HOME/.pgp).
If you just want to verify packages, you need to supply values
for the macros
\verbatim
%_pgpbin the path to the pgp executable
%_signature the type of signature to use
\endverbatim
In order to be able to sign packages, you may also have to
supply values for
\verbatim
%_pgp_name the pgp signature to use for signing
%_pgp_path the path to the key ring
\endverbatim
\section signatures_signing Signing Packages
Signature creation is the same as previous releases: just add
a --sign to your build command line. You can sign a package
after the package is built with:
\verbatim
rpm --resign <package>
\endverbatim
Using --resign removes any previous signature in the package.
To *add* a signature to a package, leaving all existing
signatures use:
\verbatim
rpm --addsign <package>
\endverbatim
RPM always creates MD5 and SIZE signatures when it build
packages, which means that packages built without --sign can
be "verified" to some extent. The MD5 signature should catch
problems like corrupt packages, faulty downloads, etc.
\section signatures_verifying Verifying Package Signatures
Package signature verification is the same as previous releases:
\verbatim
rpm -K <package>
\endverbatim
RPM will verify every signature in the package, which may include
more than one PGP signature. The output indicates what types of
signatures are being checked. If any checks fail you'll see a
"NOT OK" message, and you should be worried.
If you have a package with PGP signatures, but don't have PGP
installed, but still want to verify it as much as possible, you
can do:
\verbatim
rpm -K --nopgp <package>
\endverbatim
That will cause RPM to skip any PGP signatures, but still check
any others (currently only MD5 and SIZE).
*/
|
