RPM Community Forums

Mailing List Message of <rpm-users>

Re: Need information on RPM signing

From: Jeffrey Johnson <n3npq@me.com>
Date: Tue 14 Apr 2015 - 22:15:01 CEST
Message-id: <181FA6D1-93A9-4834-9FD7-3DEEFA13D2F8@me.com>

> On Apr 14, 2015, at 12:37 PM, srinivasan j v <srinivasanjvs8@gmail.com> wrote:
> Hi Jeffrey
> Thanks for the information. It was really helpful
> I'm planning to go with the first approach (Signing Entire *.rpm  Package and prepending the signature to rpm).
> Yes , I will sign and verify  CPIO payload outside of RPM .
> Is there any way that i can prepend/append  information to Built RPM file ? Thanks in advance

I’m just suggesting using cat(1) to merge 2 files. There are magic numbers
for the rpm headers that can be used to find the end of the signature/certificates
while parsing.

I’d duggest prepending so that a package can be handled in a single pass
(but that may not be as useful in scripting as it is in rpm itself: a package
can be read and installed in a single “streaming” pass because the signature
is prepended rather than appended).


73 de Jeff
> regards
> srinivasan
> regards
> srini
> On Tue, Apr 14, 2015 at 8:47 PM, Jeffrey Johnson <n3npq@me.com <mailto:n3npq@me.com>> wrote:
>> On Apr 14, 2015, at 4:07 AM, srinivasan j v <srinivasanjvs8@gmail.com <mailto:srinivasanjvs8@gmail.com>> wrote:
>> Hello All
>> I need to sign RPM using X509 Certificate and save the signatures (signature file ) along with the RPM package .
>>        1. Is there any way  can i do that ?
>>        2. How can i save the these signature and any other certificates (X 509)  and  being not part of  CPIO archive ?
> I have answered this before, but here are the answers again.
> The easiest approach is to sign the entire *.rpm package using openssl/nss or
> other X.509 tool.
> Then prepend or append the X.509 signature (and any other certs you wish to include)
> to the existing *.rpm package.
> You will need to write your own sign/verify scripts using existing tools to
> create/extract the prepended/appended signature (and certificates) and
> sign/verify the original *.rpm file.
> You can do the same operation on just the cpio payload instead of the entire
> *.rpm package if you wish by using rpm2cpio (or rpm2cpio.sh) to extract the
> just the cpio payload of the *.rpm package.
> If you wish RPM itself to support X.509 formatted signatures/certificates, there are
> two choices:
> 	1) convert existing GPG signature/pubkeys used in *.rpm to X.509 format that
> 	can be used by tools like openssl/nss outside of rpm.
> 	2) implement X.509 directly in RPM.
> The conversion of GPG signatures/pubkeys has been done: e.g. see pgp.com <http://pgp.com/>
> implementations.
> Direct support for X.509 signatures is a month (or so) of effort to implement
> and test using system(3) invocations of existing tools in openssl/nss. External
> tool invocations add an unacceptable (to many, including me) and complex dependency on
> existing crypto toolkits: rpm is expected to Just Work installing in chroot’s and
> on empty disks.
> A direct implementation in RPM to parse X.509 certificates and validate certificate
> chains to (at least partially) remove the crypto toolkit dependency is considerably
> more complex.
> Meanwhile you have been asking for signed cpio payloads in the past. The easy
> approach outlined above, using existing tools like openssl/rpm2cpio to write
> a 2 scripts for signing/verifying the cpio payload outside of rpm is by far the
> easiest approach.
> hth
> 73 de Jeff
>> Thanks in advance
>> regards
>> srinivasan
Received on Wed Apr 15 01:23:36 2015
Driven by Jeff Johnson and the RPM project team.
Hosted by OpenPKG and Ralf S. Engelschall.
Powered by FreeBSD and OpenPKG.