На случай если встала необходимость держать свой REPO, и очень хочется делать это с преферансом и куртизанками.
Создание пары Public/Private GPG ключей
Небольшая аннотация. Чтобы генерация прошла быстрее, запустите в соседней консоли:find / -type f | xargs cat &> /dev/null
Приступим к генерации:
[builder@builder-host ~]$ gpg --gen-key gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: directory `/home/builder/.gnupg' created gpg: new configuration file `/home/builder/.gnupg/gpg.conf' created gpg: WARNING: options in `/home/builder/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/builder/.gnupg/secring.gpg' created gpg: keyring `/home/builder/.gnupg/pubring.gpg' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire= key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Your Name Email address: your_email@example.com Comment: RPM Maintainer You selected this USER-ID: "Your Name (RPM Maintainer)" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. can't connect to `/home/builder/.gnupg/S.gpg-agent': No such file or directory gpg-agent[1709]: directory `/home/builder/.gnupg/private-keys-v1.d' created We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /home/builder/.gnupg/trustdb.gpg: trustdb created gpg: key 90A42099 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/90A42099 2014-02-18 Key fingerprint = A31B 130E CFCD 9F30 4C7B 0050 1C58 9F8E 90A4 2099 uid Your Name (RPM Maintainer) <your_email@example.com> sub 2048R/DB16927A 2014-02-18
Обратите внимание на строчку начинающуюся с "pub", в ней записан идентификатор публичного ключа 90A42099
Экспорт Private/Public для безопасного хранения
Посмотрим список ключей:
[builder@builder-host ~]$ gpg --list-secret-keys /home/builder/.gnupg/secring.gpg -------------------------------- sec 2048R/90A42099 2014-02-18 uid Your Name (RPM Maintainer) <your_email@example.com> ssb 2048R/DB16927A 2014-02-18
Экспорт GPG ключей:
[builder@builder-host ~]$ gpg --export-secret-key -a 90A42099 > RPM-GPG-KEY-MY-COMPLANY.private [builder@builder-host ~]$ gpg --export -a 90A42099 > RPM-GPG-KEY-MY-COMPLANY.public
Смените "MY-COMPLANY" на имя своей организации .
[builder@builder-host ~]$ cat RPM-GPG-KEY-MY-COMPLANY.* -----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v2.0.14 (GNU/Linux) lQO+BFMDAc4BCADb3srhy5xw7Aa07U/7i6Kf+fMSuFsJsYTpNNohtyOxDOUIJLcJ TwPNeWAMqxQPsNHx4Tagjs5McwIkUfEl/BmiXjA07yToJMT8WmC5hnFak+5yWS9+ WMe51pZJ4u4U/OTCNLNuDWqJ59cczF+fzo642J95yLo8GFsjixNhse2NjHTOsHpa nvUt98DxR568LvsJ7MArsDx5nSvz69gnGterCvhjDQNAvW2MmMggr2H9rfYHx6nb A1jsH0GmDQODG3qOiGItP2F+ngQvUO+pEkhZIiqXkL6q1Kb2dpU/O31EQFTAEUM+ Ntx8gmnmjRwu5aw/fLcCW8aKxm+TXVp+hL5NABEBAAH+AgMCSH+j12gvrrjTnCcZ VY2YxXUlQZTciSLSFFkiqiCSXyg/psRh6eKOndLm7LHjBCl8zsD0ur7WGIhmL5S+ A6hh4hJoKPEtcQddlsgZalA1tMUx/+yVeRbJe5f/heihJk6Pjh/bNKhHqscoNUBW gjl9DCEbqWYHFyws4UZUF+Enfp+hbihS5mJVurE2AiWrYB5cBxJY2gcxwrpE3vhr W+yg4TNRuCwbHvPo/mITA+Iw12VTVBqhCj956oenYfvYrVozNmHU7+tHhLIQyyCh qdbLmXrnvCoAkt6xMSVIVWIB9XSEt9dhTM9WqBZn7+IHEcOXDQD/1/gZHtY+rAaJ XwC9ti+zogFmwUlbi1WfnFGEZOIERP5SRhAyxr5ISSxubanQlpYvytdxbw444e1V OtJ2/GstjH3E6uNDIiJoqClgukAf/CA2o+YTL6aawy/2Ac/MPgIKLXopz5m7C17W B1jDdNhBegMfDPWl1S9Pl5k4dAi8732Gixu3a+PLvRdpcHokBOtLWtTLjYNtLQiD wYBI3eAbaEixPTnKljePI0kN92jVmuLYusMxpXi4gR2G6Rx2l7xxvJh17bKD6Jin S0g60dOJQyNUW0kV+n6Ed3G3pj4i25HEu+R8f6daSAdULu6rI8Qna3Ugo4kynxjq sVxB0JO1+0iiCxUVG4f6QM+SAu9HBa25EnM+wLLkCL/Hfi66FwWXGM/Tbk3FFBuV 5QEXxuT4SRcZbYVGZAo+9G5WPXlcjWkNWP4hFVoZEBSZhbwXz2mhRQnu+E7wwh2K wG1iw/YEyZVMRzhaIP1dq8l+yJRdYrO8a8NqolkOBodOBzvUz+QaCClr7l3ELEex lVON8V9kRYfSR/8E84GjtIME52I/VfSNK+Nv6OgfecJZRZn4LleNB13+CcdCcHe3 N7QzWW91ciBOYW1lIChSUE0gTWFpbnRhaW5lcikgPHlvdXJfZW1haWxAZXhhbXBs ZS5jb20+iQE4BBMBAgAiBQJTAwHOAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIX gAAKCRAcWJ+OkKQgmeBwCADampwMSRyDorzM89frx+d+AznDWV1kMKF5uUw1dkJC 2kaKBP1VAh/J7Q59tsnA4BwcUZ+CvpPyJTU6NvhTm2MnuA85CzosyGCYM5J6wGAA aJK55j5HTnEH2NAtZRncJn+xqwoO258fa0bvAOBPLSyg53TgbECSbMx2979jZtP5 4kSML9ycno6gdsndogWLxORUJ2o7sAjDgF94iLJnJ7likxjg8G4Aa/OKVqVSMIN5 /Ir0wQmvw33OqmA/9bfPlCQaPsowLsGaLuhcJugCJnDO2tQtngUyBVnPuSJ7u87H H/YSt2lI1BkRicy0ecH3YaIXUb5Nz/X1ypbPdrkmDqp9nQO+BFMDAc4BCADOstRi c+vfTJPxWlKUuk/XMhTHg8fUq00E+NHwGUkuulePhvuu15BDEfgpUxYI/A7zJraS X4rg+AMtv4V4iJh3ig0JckgysvsrE2hQAgTniNX/9kt5IAQsc9YfeQiffj8OgL4d Hj/Kb+NpltxwDO6d0x0vXYvGj6pFh24W/QDoos3T8YnHMQZA5pPxTg1YInC0JNpV 2j7aER41FwRphAsPMYIv/xYkSzUCrALpAP01OZgAKU0J+tPogRuzmAxcYa3uEdQV tpuJSFtOAf8Ujpy61iWiAbOsh2W6f/rPXemkPknSZAXahBi/cDfjTYP5v4BCwo97 VA6rJEACeQnmgVAlABEBAAH+AgMCSH+j12gvrrjT5jL0C8QUTW7Oi2CcHF6rk8eQ KGyBfDVjBqjhmjB/4p5rmIweSlMhXWZYv8Sb0SiAnKT1ubtcmYm3ktEO32pQ109V 6qPqj7pZYbf4GOFIXEd6Tfu395Z2JCaXEmh84+yWawATwZ20ROJVVAVRJU57Ar5p Gwwsq9m6xfjChjmTCG4m7X0hfiO+9/rpZXWHncWJ+W//spEm20QXR7MeDol+P46r sD6PHDZv6kw0fgKuniUEcsf/KkSXmMhr20WGG05YJaJuuLqAu4dM2h2l+vA7idPa Weo6PU6HRijh9l4lTpCxtmiRW0BL3rxiqVtBtOUG/a/7mq1qgPxwH3x0UPsWbk1c p7fZrZlDnwckMiZSL9p1HLlEID0wacAPom5TRDfpq1YPVyIlVAUPLccePquSa2oo 347Wmritv6vCRfKI01jEys66peHHyMKyKb2/njqMU236+4ncfaKv2vZR/o7z8p9J Xe4BRGm7rXNt5ojknfPjsDcMzNbKgDdBgLCzEMuTzuLPWgS3CdyddFs8J0nf4jeP OCO9Ao299L4izet8q/oCTIc7SjK1UyG890BGpOyE523a3QQB8SyGVHeoeiKR7SfA OxbCpxWWbt4Pta9qNa27jd+h4YnPIGVffWZPt0zl8y0iFuVRFj90y2gV2IgGfQ2A J0sjTBkh+OY6COjQe8xSaZCoAVmhJwlfPZ1QWjErdLasxlaDcJILjGiXk9NlJTMV 5wxlrJVZCrDEZjmXEbjHvc9WSZ3jouurKV4Hdi358N7Q28ElF+uGpsRkUqFrCbuK Tb+fo0Rm27+UJVQaqngtO2hcz9oLhynFKPNdghyUCbAgGhGuEQucxp+R4lr2tAqX N9hjzmAZUONemas9bSCsdDc5PVZkpuihFezu52aCBDmyhYkBHwQYAQIACQUCUwMB zgIbDAAKCRAcWJ+OkKQgmafoCADCftzvT4VzxsIkb0QVYk39oSTTxiceYQMjLWUP XY8bstG+9y/aU0WE2gjtdc1LDs9kJei1fo9fBszyLeU5i4hx+17RMS/Qfx9lBWlx gmwygiiGi9NowIqlUVyhs3V50lY/zFEEkh2FX+M0YCY5bvYICHFRa9MuCf1acEyq QKIWRYeoePsVS0/KloN5oS+xzwq/G0tplvZejmuirvBiKsUmLVvpmadSHeK+qqBv eoyKzhC6FU6rb1gXa8gsS7JM4KZCV+DBVPZdLD3cjlPoPMgmDamH3LCTMc9gyENS XcmXWA0L7yc7ZpA7I3ieoZ+7jktcC/n5iRfRfstIuCcfgEh8 =yEQo -----END PGP PRIVATE KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.14 (GNU/Linux) mQENBFMDAc4BCADb3srhy5xw7Aa07U/7i6Kf+fMSuFsJsYTpNNohtyOxDOUIJLcJ TwPNeWAMqxQPsNHx4Tagjs5McwIkUfEl/BmiXjA07yToJMT8WmC5hnFak+5yWS9+ WMe51pZJ4u4U/OTCNLNuDWqJ59cczF+fzo642J95yLo8GFsjixNhse2NjHTOsHpa nvUt98DxR568LvsJ7MArsDx5nSvz69gnGterCvhjDQNAvW2MmMggr2H9rfYHx6nb A1jsH0GmDQODG3qOiGItP2F+ngQvUO+pEkhZIiqXkL6q1Kb2dpU/O31EQFTAEUM+ Ntx8gmnmjRwu5aw/fLcCW8aKxm+TXVp+hL5NABEBAAG0M1lvdXIgTmFtZSAoUlBN IE1haW50YWluZXIpIDx5b3VyX2VtYWlsQGV4YW1wbGUuY29tPokBOAQTAQIAIgUC UwMBzgIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQHFifjpCkIJngcAgA 2pqcDEkcg6K8zPPX68fnfgM5w1ldZDCheblMNXZCQtpGigT9VQIfye0OfbbJwOAc HFGfgr6T8iU1Ojb4U5tjJ7gPOQs6LMhgmDOSesBgAGiSueY+R05xB9jQLWUZ3CZ/ sasKDtufH2tG7wDgTy0soOd04GxAkmzMdve/Y2bT+eJEjC/cnJ6OoHbJ3aIFi8Tk VCdqO7AIw4BfeIiyZye5YpMY4PBuAGvzilalUjCDefyK9MEJr8N9zqpgP/W3z5Qk Gj7KMC7Bmi7oXCboAiZwztrULZ4FMgVZz7kie7vOxx/2ErdpSNQZEYnMtHnB92Gi F1G+Tc/19cqWz3a5Jg6qfbkBDQRTAwHOAQgAzrLUYnPr30yT8VpSlLpP1zIUx4PH 1KtNBPjR8BlJLrpXj4b7rteQQxH4KVMWCPwO8ya2kl+K4PgDLb+FeIiYd4oNCXJI MrL7KxNoUAIE54jV//ZLeSAELHPWH3kIn34/DoC+HR4/ym/jaZbccAzundMdL12L xo+qRYduFv0A6KLN0/GJxzEGQOaT8U4NWCJwtCTaVdo+2hEeNRcEaYQLDzGCL/8W JEs1AqwC6QD9NTmYAClNCfrT6IEbs5gMXGGt7hHUFbabiUhbTgH/FI6cutYlogGz rIdlun/6z13ppD5J0mQF2oQYv3A3402D+b+AQsKPe1QOqyRAAnkJ5oFQJQARAQAB iQEfBBgBAgAJBQJTAwHOAhsMAAoJEBxYn46QpCCZp+gIAMJ+3O9PhXPGwiRvRBVi Tf2hJNPGJx5hAyMtZQ9djxuy0b73L9pTRYTaCO11zUsOz2Ql6LV+j18GzPIt5TmL iHH7XtExL9B/H2UFaXGCbDKCKIaL02jAiqVRXKGzdXnSVj/MUQSSHYVf4zRgJjlu 9ggIcVFr0y4J/VpwTKpAohZFh6h4+xVLT8qWg3mhL7HPCr8bS2mW9l6Oa6Ku8GIq xSYtW+mZp1Id4r6qoG96jIrOELoVTqtvWBdryCxLskzgpkJX4MFU9l0sPdyOU+g8 yCYNqYfcsJMxz2DIQ1JdyZdYDQvvJztmkDsjeJ6hn7uOS1wL+fmJF9F+y0i4Jx+A SHw= =DD9D -----END PGP PUBLIC KEY BLOCK-----
Народная мудрость:Держите Public Key в открытом доступе, а Private Key в криптоконтейнере.
Вы должны сделать доступным публичную часть вашего ключа на вашем web сервере (либо в /pub директории либо в корневой директории вашего репозитория).
Пример:
http://www.example.com/pub/RPM-GPG-KEY-MY-COMPLANY
Импорт приватного ключа:
Если вы хотите импортировать приватный ключ на другой сервер, или восстановиться из бэкапа, то воспользуйтесь следующей командой:
[builder@builder-host ~]$ gpg --import RPM-GPG-KEY-MY-COMPLANY.private gpg: directory `/home/builder/.gnupg' created gpg: new configuration file `/home/builder/.gnupg/gpg.conf' created gpg: WARNING: options in `/home/builder/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/builder/.gnupg/secring.gpg' created gpg: keyring `/home/builder/.gnupg/pubring.gpg' created gpg: key 90A42099: secret key imported gpg: /home/builder/.gnupg/trustdb.gpg: trustdb created gpg: key 90A42099: public key "Your Name (RPM Maintainer)" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: secret keys read: 1 gpg: secret keys imported: 1
Подписываем RPM'ки вашим GPG ключем:
Теперь, когда мы имеем GPG ключи, мы можем приступить к подписыванию RPM'ок.
[builder@builder-host ~]$ echo '%_signature gpg' > ~/.rpmmacros [builder@builder-host ~]$ echo '%_gpg_name Your Name (RPM Maintainer)' >> ~/.rpmmacros
Помните, что ‘%_gpg_name’ должно в точности совпадать с указанным в ключе.
[builder@builder-host ~]$ gpg --list-keys /home/builder/.gnupg/pubring.gpg -------------------------------- pub 2048R/90A42099 2014-02-18 uid Your Name (RPM Maintainer) <your_email@example.com> sub 2048R/DB16927A 2014-02-18
[builder@builder-host ~]$ rpm --resign ~/rpmbuild/RPMS/x86_64/*.rpm Enter pass phrase: Pass phrase is good. /home/builder/rpmbuild/RPMS/x86_64/kernel-2.6.32-431.el6.myorg.x86_64.rpm: /home/builder/rpmbuild/RPMS/x86_64/kernel-debug-2.6.32-431.el6.myorg.x86_64.rpm: /home/builder/rpmbuild/RPMS/x86_64/kernel-debug-debuginfo-2.6.32-431.el6.myorg.x86_64.rpm: /home/builder/rpmbuild/RPMS/x86_64/kernel-debug-devel-2.6.32-431.el6.myorg.x86_64.rpm: /home/builder/rpmbuild/RPMS/x86_64/kernel-debuginfo-2.6.32-431.el6.myorg.x86_64.rpm: /home/builder/rpmbuild/RPMS/x86_64/kernel-debuginfo-common-x86_64-2.6.32-431.el6.myorg.x86_64.rpm: /home/builder/rpmbuild/RPMS/x86_64/kernel-devel-2.6.32-431.el6.myorg.x86_64.rpm: /home/builder/rpmbuild/RPMS/x86_64/kernel-firmware-2.6.32-431.el6.myorg.x86_64.rpm: /home/builder/rpmbuild/RPMS/x86_64/kernel-headers-2.6.32-431.el6.myorg.x86_64.rpm: /home/builder/rpmbuild/RPMS/x86_64/perf-2.6.32-431.el6.myorg.x86_64.rpm: /home/builder/rpmbuild/RPMS/x86_64/perf-debuginfo-2.6.32-431.el6.myorg.x86_64.rpm: /home/builder/rpmbuild/RPMS/x86_64/python-perf-2.6.32-431.el6.myorg.x86_64.rpm: /home/builder/rpmbuild/RPMS/x86_64/python-perf-debuginfo-2.6.32-431.el6.myorg.x86_64.rpm:
Импортируем наш публичный ключ в rpm:
[builder@builder-host ~]$ su -c "rpm --import RPM-GPG-KEY-MY-COMPLANY.public"
[builder@builder-host ~]$ rpm -qip /home/builder/rpmbuild/RPMS/x86_64/kernel-2.6.32-431.el6.myorg.x86_64.rpm | grep Signature Signature : RSA/SHA1, Tue 18 Feb 2014 12:14:01 PM MSK, Key ID 1c589f8e90a42099
Импорт публичного ключа на целевой системе:
Чтобы YUM устанавливал только подписанные пакеты, установите флаг ‘gpgcheck=1’ в секции описания вашего репозитория, и не забудьте импортировать публичную часть GPG ключа:
[builder@builder-host ~]$ su -c "rpm --import http://www.example.com/pub/RPM-GPG-KEY-MY-COMPLANY"
Источники знаний:
http://www.gnupg.org/documentation/manuals/gnupg-devel/Unattended-GPG-key-generation.html
http://iuscommunity.org/pages/CreatingAGPGKeyandSigningRPMs.html
Sc0Rp1Us: Создаём Gpg Ключ И Подписываем Rpm'Ки >>>>> Download Now
ОтветитьУдалить>>>>> Download Full
Sc0Rp1Us: Создаём Gpg Ключ И Подписываем Rpm'Ки >>>>> Download LINK
>>>>> Download Now
Sc0Rp1Us: Создаём Gpg Ключ И Подписываем Rpm'Ки >>>>> Download Full
>>>>> Download LINK vM