我如何知道与RPM软件包签署了哪个GPG密钥?


26

可以使用以下rpm -K命令验证RPM的加密签名。如果签名在RPM的数据库中并且有效,则返回一个包含gpg(或pgp)并以结尾的字符串OK

如果软件包未签名但校验和有效,您仍然会得到OK,但没有gpg

如果软件包已签名,但RPM数据库中缺少密钥,则将得到(GPG)(大写字母)和NOT OKAY,然后是(MISSING KEYS: GPG#deadbeef)

如果我想弄清楚应该找到什么密钥才能使软件包安装正常工作,那将很方便。

但是如果我想验证在我的RPM钥匙圈几个键用来签署一个给定的包?

Answers:


12
rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n'

仅当您已经安装了软件包时才起作用,Brightlancer的以下解决方案使您可以在安装前检查签名
Thomas

3
如果您将其替换为-a,则即使对于已卸载的软件包,此方法也很好用-p packagename.rpm
larsks

26

通过列出了一个签名字段rpm -qpi package.rpm,例如:

[vagrant@vm-one ~]$ rpm -qpi puppet-3.7.4-1.el6.noarch.rpm
Name        : puppet
Version     : 3.7.4
Release     : 1.el6
Architecture: noarch
Install Date: (not installed)
Group       : System Environment/Base
Size        : 6532300
License     : ASL 2.0
Signature   : RSA/SHA512, Tue 27 Jan 2015 11:17:18 PM UTC, Key ID 1054b7a24bd6ec30
Source RPM  : puppet-3.7.4-1.el6.src.rpm
Build Date  : Mon 26 Jan 2015 11:48:15 PM UTC
Build Host  : tahoe.delivery.puppetlabs.net
Relocations : (not relocatable)
Vendor      : Puppet Labs
URL         : http://puppetlabs.com
Summary     : A network tool for managing many disparate systems
Description :
Puppet lets you centrally manage every important aspect of your system using a
cross-platform specification language that manages all the separate elements
normally aggregated in different files, like users, cron jobs, and hosts,
along with obviously discrete elements like packages, services, and files.

8

要找出您的RPM数据库中的哪个GPG密钥签署了特定的rpm,请执行以下操作:

列出您的RPM数据库中的所有GPG密钥:

$ rpm -qa gpg-pubkey*
...
...
gpg-pubkey-b1275ea3-546d1808
...
...

首先确保有问题的转速与你的RPM数据库的密钥签名:

$ rpm -K hp/mlnx-en-utils-2.2-1.0.7.0.g0055740.rhel6u4.x86_64.rpm
hp/mlnx-en-utils-2.2-1.0.7.0.g0055740.rhel6u4.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

您正在寻找的是最后的OK,而不是“ NOT OK(MISSING KEYS)”,这意味着它已经签名,但是不是在RPM DB中。

正确,因此我们正在检查的rpm已由RPM数据库中的一个密钥签名。

然后获得与rpm签名的密钥ID:

$ rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' -p hp/mlnx-en-utils-2.2-1.0.7.0.g0055740.rhel6u4.x86_64.rpm
mlnx-en-utils-2.2-1.0.7.0.g0055740.rhel6u4 RSA/SHA1, Tue Apr 14 12:34:51 2015, Key ID fadd8d64b1275ea3 (none)

现在,您可以看到密钥ID 的后8个字符(即fadd8d64b1275ea3中的b1275ea3)是否与第一个命令中gpg-pubkey-之后的8个字符中的任何一个相对应。在这种情况下,确实可以!

然后您有问题的钥匙,所以:

$ rpm -qi gpg-pubkey-b1275ea3-546d1808

在此示例中,可以看到是HP的密钥签署了该rpm。

希望这可以帮助。花了我一段时间找出答案。:-)


5

签发less <rpm file>并检查Signature条目,例如:

[vagrant@vm-one ~]$ less artifactory-3.5.3.rpm
Name        : artifactory
Version     : 3.5.3
Release     : 30172
Architecture: noarch
Install Date: (not installed)
Group       : Development/Tools
Size        : 42286184
License     : LGPL
Signature   : (none)
Source RPM  : artifactory-3.5.3-30172.src.rpm
Build Date  : Thu 19 Mar 2015 04:47:04 PM UTC
Build Host  : artbuild2.jfrog.local
Relocations : (not relocatable)
Vendor      : JFrog Ltd.
URL         : http://www.jfrog.org
Summary     : Binary Repository Manager
Description :
The best binary repository manager around.
-rwxrwxr-x    1 root    root                     7891 Mar 19 16:47 /etc/init.d/artifactory
drwxr-xr-x    2 artifactartifact                    0 Mar 19 16:47 /etc/opt/jfrog/artifactory
-rwxrwx---    1 artifactartifact                 9855 Mar 19 16:47 /etc/opt/jfrog/artifactory/artifactory.config.xml
-rwxrwx---    1 artifactartifact                11172 Mar 19 16:47 /etc/opt/jfrog/artifactory/artifactory.system.properties
-rwxrwx---    1 artifactartifact                  457 Mar 19 16:47 /etc/opt/jfrog/artifactory/default
-rwxrwx---    1 artifactartifact                 6858 Mar 19 16:47 /etc/opt/jfrog/artifactory/logback.xml
-rwxrwx---    1 artifactartifact                 5470 Mar 19 16:47 /etc/opt/jfrog/artifactory/mimetypes.xml
drwxrwxr-x    2 root    root                        0 Mar 19 16:47 /opt/jfrog
drwxrwxr-x    2 root    root                        0 Mar 19 16:47 /opt/jfrog/artifactory/bin
-rwxrwxr-x    1 root    root                   103424 Mar 19 16:47 /opt/jfrog/artifactory/bin/artifactory-service.exe
-rwxrwxr-x    1 root    root                     1366 Mar 19 16:47 /opt/jfrog/artifactory/bin/artifactory.bat
-rwxrwxr-x    1 root    root                      457 Mar 19 16:47 /opt/jfrog/artifactory/bin/artifactory.default
artifactory-3.5.3.rpm
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.