RPM Community Forums

Mailing List Message of <rpm-users>

Re: Embed signatures in rpm (RPM tags)

From: Jeffrey Johnson <n3npq@me.com>
Date: Tue 10 Mar 2015 - 16:47:41 CET
Message-id: <0A9B940B-82E0-4BB0-AED5-4FA6E24ED203@me.com>

On Mar 10, 2015, at 2:15 AM, srinivasan j v wrote:

> hello all
> I'm supposed to you use X509 format for signing .
> I'm trying to sign the  CPIO archive of a rpm  . I need to package this signature inside the RPM. I can't add this part of CPIO archive as the generated signature varies from the signature of newly formed CPIO archive .

The easiest way to do this is with a detached (or concatenated) X509 signature outside of RPM.

>  I Tried adding the signature to the Signature tags in the Spec file (for testing purpose) but it did not work , Do i need to use any arbitary tag for this ?

Note that signing the CPIO payload has never been done by rpm, and that the
header+payload signing/verification was deprecated in 2007 and is not generated
by current RPM5, and that X509 format has never been supported by RPM.

Much more than a Signature: tag is needed.

> Is there any way that i keep these signatures as part of RPM but not as part of its CPIO archive  ?

You can attempt rewriting the *.rpm and adding whatever you wish as additional tag content
in the signature header.

I'd again suggest that signing the entire *.rpm package, including the cpio payload, and prepending
the signature to the *.rpm, and then writing the verification and public key retrieval tool as the best
way to achieve your goal of "X509 format for signing".

73 de Jeff
> thanks in advance
> regards
> srinivasan
Received on Tue Mar 10 17:48:37 2015
Driven by Jeff Johnson and the RPM project team.
Hosted by OpenPKG and Ralf S. Engelschall.
Powered by FreeBSD and OpenPKG.