Thanks for the information. It was really helpful
I'm planning to go with the first approach (Signing Entire *.rpm Package
and prepending the signature to rpm).
Yes , I will sign and verify CPIO payload outside of RPM .
Is there any way that i can prepend/append information to Built RPM file ?
Thanks in advance
On Tue, Apr 14, 2015 at 8:47 PM, Jeffrey Johnson <email@example.com> wrote:
> On Apr 14, 2015, at 4:07 AM, srinivasan j v <firstname.lastname@example.org>
> Hello All
> I need to sign RPM using X509 Certificate and save the signatures
> (signature file ) along with the RPM package .
> 1. Is there any way can i do that ?
> 2. How can i save the these signature and any other certificates (X
> 509) and being not part of CPIO archive ?
> I have answered this before, but here are the answers again.
> The easiest approach is to sign the entire *.rpm package using openssl/nss
> other X.509 tool.
> Then prepend or append the X.509 signature (and any other certs you wish
> to include)
> to the existing *.rpm package.
> You will need to write your own sign/verify scripts using existing tools to
> create/extract the prepended/appended signature (and certificates) and
> sign/verify the original *.rpm file.
> You can do the same operation on just the cpio payload instead of the
> *.rpm package if you wish by using rpm2cpio (or rpm2cpio.sh) to extract the
> just the cpio payload of the *.rpm package.
> If you wish RPM itself to support X.509 formatted signatures/certificates,
> there are
> two choices:
> 1) convert existing GPG signature/pubkeys used in *.rpm to X.509 format
> can be used by tools like openssl/nss outside of rpm.
> 2) implement X.509 directly in RPM.
> The conversion of GPG signatures/pubkeys has been done: e.g. see pgp.com
> Direct support for X.509 signatures is a month (or so) of effort to
> and test using system(3) invocations of existing tools in openssl/nss.
> tool invocations add an unacceptable (to many, including me) and complex
> dependency on
> existing crypto toolkits: rpm is expected to Just Work installing in
> chrootâs and
> on empty disks.
> A direct implementation in RPM to parse X.509 certificates and validate
> chains to (at least partially) remove the crypto toolkit dependency is
> more complex.
> Meanwhile you have been asking for signed cpio payloads in the past. The
> approach outlined above, using existing tools like openssl/rpm2cpio to
> a 2 scripts for signing/verifying the cpio payload outside of rpm is by
> far the
> easiest approach.
> 73 de Jeff
> Thanks in advance
Received on Tue Apr 14 18:37:45 2015