RPM Community Forums

Mailing List Message of <rpm-users>

Re: Need information on RPM signing

From: Jeffrey Johnson <n3npq@me.com>
Date: Tue 14 Apr 2015 - 17:17:22 CEST
Message-id: <E763F34D-DDA7-40CE-9D21-C8DE7A10AF8A@me.com>

> On Apr 14, 2015, at 4:07 AM, srinivasan j v <srinivasanjvs8@gmail.com> wrote:
> Hello All
> I need to sign RPM using X509 Certificate and save the signatures (signature file ) along with the RPM package .
>        1. Is there any way  can i do that ?
>        2. How can i save the these signature and any other certificates (X 509)  and  being not part of  CPIO archive ?

I have answered this before, but here are the answers again.

The easiest approach is to sign the entire *.rpm package using openssl/nss or
other X.509 tool.

Then prepend or append the X.509 signature (and any other certs you wish to include)
to the existing *.rpm package.

You will need to write your own sign/verify scripts using existing tools to
create/extract the prepended/appended signature (and certificates) and
sign/verify the original *.rpm file.

You can do the same operation on just the cpio payload instead of the entire
*.rpm package if you wish by using rpm2cpio (or rpm2cpio.sh) to extract the
just the cpio payload of the *.rpm package.

If you wish RPM itself to support X.509 formatted signatures/certificates, there are
two choices:
	1) convert existing GPG signature/pubkeys used in *.rpm to X.509 format that
	can be used by tools like openssl/nss outside of rpm.
	2) implement X.509 directly in RPM.

The conversion of GPG signatures/pubkeys has been done: e.g. see pgp.com <http://pgp.com/>

Direct support for X.509 signatures is a month (or so) of effort to implement
and test using system(3) invocations of existing tools in openssl/nss. External
tool invocations add an unacceptable (to many, including me) and complex dependency on
existing crypto toolkits: rpm is expected to Just Work installing in chroot’s and
on empty disks.

A direct implementation in RPM to parse X.509 certificates and validate certificate
chains to (at least partially) remove the crypto toolkit dependency is considerably
more complex.

Meanwhile you have been asking for signed cpio payloads in the past. The easy
approach outlined above, using existing tools like openssl/rpm2cpio to write
a 2 scripts for signing/verifying the cpio payload outside of rpm is by far the
easiest approach.


73 de Jeff

> Thanks in advance
> regards
> srinivasan
Received on Tue Apr 14 18:18:04 2015
Driven by Jeff Johnson and the RPM project team.
Hosted by OpenPKG and Ralf S. Engelschall.
Powered by FreeBSD and OpenPKG.