Creating and Signing an RPM with a GPG Key Pair
March 4, 2012 Leave a comment
RPM package signing provides a method to determine if the package is from a trusted source. In addition, RPM package signing is required by some security programs. For example, the Centers for Medicare and Medicaid Services (CMS) in the United States requires package signing.
RPM package signing uses a private/public key pair to sign the package. The private key is kept by the package distributor, and the public key is then distributed to end users. Verification may be performed using the rpm command and may be enforced when using yum.
This post will detail how to create a public/private key pair as well as how to sign a RPM package.
Use GPG to Create the Key Pair
GNU Privacy Guard (PGP) is included by default in RHEL systems in the gnupg2 package. We will use GPG to create the key pair and then extract the public and private keys for further use later.
First, we have to deal with the issue of entropy. Entropy is random data which is used by GPG when creating the key pair. If you will be using a strong bit strength for the encryption, your computer may not be able to create enough random data. This problem is solved by the rngd command as part of the rng-tools package which should be installed on RHEL systems by default. Run the following command to start rngd.
rngd -r /dev/urandom
Thanks to Aaron Hawley for this tip.
We will let rngd run while we create the key pair. Running GPG will result in a text based Q/A dialogue. The following questions will be asked and the following are the questions you will be asked.
- Please select what kind of key you want: The default is RSA and RSA which is the key choice which should be used for signing.
- What keysize do you want? (2048): 2048 bits is okay, but you can go up to 4096. More bits is traditionally more secure.
- Key is valid for? (0): Unless you have a specific security program requirement, it may be good to push this date out quite a ways. A value of zero states the keys will never expire.
- Real name: This can be a real name, organization name, or whatever meta data you want.
- Email address: Use this field with caution as it will be in the key.
- Comment: A useful text area to give a description.
You will then be asked if it is okay to create the key. Pressing O creates the key, but first you will be asked for a password. This password will need to be entered each time you sign an RPM package. Be sure to use a password which not only meets security program requirements, but is very difficult to crack as the signing key represents one of the layers of security for end users. After entering your password again, the keys will be created.
Finally, kill the rngd process as it is no longer required.
kill `pidof rngd`
Export the Keys
The keys are now in a keystore located at ~/.gnupg. Use GPG commands to export the keys. First, use GPG to list out the keys. Take note of the name you gave to the key pair during creation. Use the following command to export the public key.
gpg --export -a key-name > public_key_file
Use the following command to export the private key.
gpg --export-secret-key -a key-name > private_key_file
Be sure to name the files to something descriptive and save the private key in a safe place. The public key should be made available to end users.
Setup the Environment and Sign a Package
The following example assumes you do not have the public and private keys in your GPG keystore. If you do not have a personal .rpmmacros file create one now. Ensure the following lines have been exist.
%_topdir /home/username/rpmbuild #location of your RPM build directory %_signature gpg %_gpg_path /home/username/.gnupg %_gpgbin /usr/bin/gpg %_gpg_name key-name #key-name of key-pair created earlier
Next, import the public and private keys into your local keystore.
gpg --import public_key_file gpg --import private_key_file
We should now be ready to sign a RPM package. To complete the signing process, run the following command against an existing package.
rpm --addsign packagename.rpm
You will be prompted for the password entered when the keys were created. After entering the password use ‘rpm -pqi packagename.rpm’ to verify information for your key has been added to the Signature line.