Библиотека сайта rus-linux.net
|Maximum RPM: Taking the Red Hat Package Manager to the Limit|
|Prev||Chapter 17. Adding PGP Signatures to a Package||Next|
OK, we've convinced you that signing packages is a good idea. Now we've got to make sure PGP and RPM are up to the task. As you might imagine, there are two parts to this process: one for PGP, and one for RPM. Let's get PGP ready first.
There is really very little to be done to PGP, assuming it's been installed properly. The only thing required is to generate a key pair. As mentioned in our mini-primer on PGP, the key pair consists of a secret key and a public key. In terms of signing packages, you will use your secret key to do the actual signing. Anyone interested in checking your signature will need your public key.
Let's review each of the times PGP required information. The first thing PGP needed to know was the key size we wanted. Depending on your level of paranoia, simply choose an appropriate key size. In our example, we chose the "They're out to get me" key size of 1024 bits.
Next, we needed to choose a user ID for the key. The user ID should
be descriptive and should also include sufficient information for
someone to contact you. We entered
Example Key for RPM
Book, which goes against our suggestion, but is sufficient
for the purposes of our example.
After entering a user ID, we needed to add a pass phrase. The pass
phrase is used to protect your secret key, so it should be something
difficult for someone else to guess. It should also be memorable for
you, because if you forget your pass phrase, you won't be able to use
your secret key! I entered a couple of words and numbers, put
together in such a way that no one could ever guess I typed
The pass phrase is entered twice, to ensure that no typing mistakes were made. PGP also performs some cursory checks on the pass phrase, ensuring that the phrase is at least somewhat secure.
Finally comes the strangest part of the key-generation process, creating random bits. This is done by measuring the time between keystrokes. The secret here is to not hold down a key so that it auto-repeats and to not wait several seconds between keystrokes. Simply start typing anything (even nonsense text) until PGP tells you you've typed enough.
.pgp, the following files:
For those interested in learning exactly what each file is, feel free to consult any of the fine books on PGP. For the purposes of signing packages, all we need to know is where these files are located.
That's it! Now it's time to configure RPM to use your newly generated key.
RPM's configuration process is quite straightforward. It consists of
adding a few
rpmrc entries in a file of your
choice. For more information on rpmrc files in general, please see
The entries that need to be added to an rpmrc file are:
Let's check out the entries.
Example Key for RPM Book, so this is what our entry should look like:
PGPPATHhas been defined. In our example, we didn't move them from PGP's default location, which is in the subdirectory
.pgp, off the user's login directory. Since we generated the key as
root, our path is
/root/.pgp. Therefore, our entry would look like this:
And that's it. Now it's time to sign some packages.