Linux RPM Package

This section specifies methods to sign a Linux package using CORE CLIClosedCommand Line Interface commands. It includes the following tasks:

RPM Package

The recommended signing method is to use GPG2 signing procedures. See GPG.

If GPG2 cannot be used, the following sections describe an alternate method for signing.

Setup

Run the CORE Setup tasks.

CORE Client

  1. Register with the partition.
  2. Import (or generate) the signing key and its certificate.

Important
1. Both the signing key and the corresponding public key certificate must be present in the partition.
2. The names of the signing key and the signing certificate must be identical.

Signing

CORE Linux client provides the ucl sign-rpm command that can be used in the following cases:

  • Using the RSA key generated by CORE.
    The signature's metadata (including the public signing key material) is generated by CORE.
  • Using an imported RSA key and assuming that the corresponding public key is also provided.
    In this case, the public signing key material is retrieved from the provided public key file and inserted into the signature's metadata.

Sign RPM Using Generated Key

(missing or bad snippet)

Sign RPM Using Imported Key

(missing or bad snippet)

Verification

Overview

We will export the public key and use RPMClosedFile format for software package distributed by RPM Package Manager signature verification procedure.

Prepare the Public Key File

To prepare the public key file to be used for RPMClosedFile format for software package distributed by RPM Package Manager signature verification, consider two cases:

  • Using an imported RSA Key.
    In this case, we assume that the corresponding public PGPClosedPretty Good Privacy - PKI implementation key file is available (and is used in the signing procedure). No action is required. Otherwise, use the above command.

Import the Public Key into RPM DB

To import PGPClosedPretty Good Privacy - PKI implementation-formated public key file into RPMClosedFile format for software package distributed by RPM Package Manager DB, run

rpm --import <public key file>.

For example:

rpm --import GPGkey-pub.pgp .

Verify the Signature

Run the rpm -K[v] <rpm-package-file> command.

For example:

rpm -K ./test-package.rpm

test-package.rpm: sha1 (md5) pgp md5 OK

Or the verbose option:

rpm -Kv ./test-package.rpm

test-package.rpm:

Header SHA1 digest: OK (9cdea49d0363c70b035e68a066a6a8366edf32d1)
V3 RSA/SHA256 Signature, key ID c649f3ba: OK
MD5 digest: OK (1bfde35e913d54731532d0538599b14e)

Important
Each line in the verbose output must have the OK word.

For example, when the corresponding public key is missing in the RPMClosedFile format for software package distributed by RPM Package Manager DB, the result shall indicate that the key is NOKEY:

test-package.rpm:

Header SHA1 digest: OK (9cdea49d0363c70b035e68a066a6a8366edf32d1)
V3 RSA/SHA256 Signature, key ID c649f3ba: NOKEY
MD5 digest: OK (1bfde35e913d54731532d0538599b14e)

This issue is highlighted when using the non-verbose option of the command:

rpm -K ./test-package.rpm

test-package.rpm: sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#c649f3ba)

Troubleshooting

Examine the RPMClosedFile format for software package distributed by RPM Package Manager repository.

Note
RPMClosedFile format for software package distributed by RPM Package Manager repository maintains all public keys as instances of the virtual RPMClosedFile format for software package distributed by RPM Package Manager package named "gpg-pubkey"

  1. List public keys in the RPMClosedFile format for software package distributed by RPM Package Manager DB, presenting the following attributes

  2. rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE} \

    \n%{INSTALLTIME:date} \

    \n%{SUMMARY}\n\n'

    The %SUMMARY attribute shows gpg(name of the key).

  3. Identify the imported key.
    In our case, we are looking for the key named GPGkey. For example, it appears in the list as follows:
  4. gpg-pubkey-c649f3ba-5c88ce04
    Wed 13 Mar 2019 11:59:30 AM UTC
    gpg(GPGkey)

  5. Examine the attributes of the imported key.
  6. Once you know the RPMClosedFile format for software package distributed by RPM Package Manager ID (c649f3ba-5c88ce04) of your imported key, run the rpm -qi <RPMClosedFile format for software package distributed by RPM Package Manager Object ID> command

    rpm -qi gpg-pubkey-c649f3ba-5c88ce04

    Name: gpg-pubkey
    Version: c649f3ba
    Release: 5c88ce04
    Architecture: (none)
    Install Date: Wed 13 Mar 2019 11:59:30 AM UTC
    Group: Public Keys
    Size: 0
    License: pubkey
    Signature: (none)
    Source RPM: (none)
    Build Date: Wed 13 Mar 2019 09:31:48 AM UTC
    Build Host: localhost
    Relocations: (not relocatable)
    Packager: GPGkey
    Summary: gpg(GPGkey)
    Description:
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: rpm-4.11.3 (NSS-3) mQENBFyIzgQBCACwkqB9vQfrRp10CmiHgc1Dr2FL3rhw8fiTZ/YwYylSQs0NIEAK
    //truncated
    8QuUyk9E51k01UMS1KiOEKxnjQARAQAB =qqVY
    -----END PGP PUBLIC KEY BLOCK-----

  7. Compare the content of the public key with the one stored in CORE.

Verification of the Certificates

RPMClosedFile format for software package distributed by RPM Package Manager signing, which is based on PGPClosedPretty Good Privacy - PKI implementation, has no notion of certificates and PKIClosedPublic Key Infrastructure. The verification method described in this section is external to the base system and allows certificate validation external to the PGPClosedPretty Good Privacy - PKI implementation system.

Use the following procedure to verify the validity of the public key certificate and its intermediate certificates.

Note
A public key <K-NAME> and its certificate chain are stored in separate UIDs using the following naming convention:
name: <K-NAME> type: private key
name: <K-NAME> type: certificate
name: <K-NAME>-chain0 type: certificate // the first intermediate certificate
name: <K-NAME>-chain1 type: certificate // the second intermediate certificate
and so forth.

Overview

We will export the main and the first intermediate certificates and use OSCP provider tools to verify the main certificate.

Steps

  1. Export the certificate:
  2. ucl export -p <PARTITION NAME> -w <PASSWORD> -u <UID_CERT> -o <CERT>.pem
  3. Export the first intermediate certificate:
  4. ucl export -p <PARTITION NAME> -w <PASSWORD> --u <UID_CERT-chain0> -o <CERT-chain0>.pem
  5. Validate the certificate using OSCP service provider (for example, ocsp.digicert.com):
  6. openssl ocsp -no_nonce -issuer <CERT-chain0>.pem -cert <CERT>.pem -VAfile <CERT>.pem -text \ -url http://ocsp.digicert.com -respout ocsptespem

RPM Package Repository

RPMClosedFile format for software package distributed by RPM Package Manager package repository contains a set of RPMClosedFile format for software package distributed by RPM Package Manager packages that are used by the rpm or yum package installers. For each RPMClosedFile format for software package distributed by RPM Package Manager package, a repository contains a set of files comprising the package. The overall content of the repository is described in the repomd.xml "repository metadata" file. To identify the creator of this file and to assure that it hasn't been tampered, the repomd.xml is GPGClosedGNU Privacy Guard - PGP cryptography implementation-signed using the private key that identifies its owner.

Note
The signing of a repomd.xml file is different from signing an RPMClosedFile format for software package distributed by RPM Package Manager package.

To sign the repomd.xml file, use the ucl sign command options described in GPG-compatible ucl sign.

The following sections walk you through the steps required to:

Setup

Run the CORE Setup tasks.

CORE Linux Client

  1. Register with the designated partition.
  2. Create RPMClosedFile format for software package distributed by RPM Package Manager repository:
    1. Install the createrepo tool
    2. sudo yum install createrepo

    3. Create a folder, and copy one or more RPMClosedFile format for software package distributed by RPM Package Manager package(s) to it. For example:
    4. mkdir ./test
      cp ./ekm-client-2.0.1910.39142-RHES.x86_64.rpm ./test

    5. Create the RPMClosedFile format for software package distributed by RPM Package Manager package repository (repodata) for packages in the test folder and list the repository's content. Note the repomd.xml file that has been created along with other files in the repodata:
    6. createrepo ./test ls -l ./test/repodata
      // names of the files are truncated for clarity XXX-primary.sqlite.bz2 XXX-filelists.sqlite.bz2 XXX-other.sqlite.bz2 XXX-filelists.xml.gz XXX-primary.xml.gz XXX-other.xml.gz repomd.xml
  3. Generate an RSA key that will be used to sign repomd.xml:
  4. ucl generate -t rsa -n md-signkey

  5. Prepare the public part of the key. It will be used to verify the match between the repomd.xml and its signature.
    1. Export the public part of the key in the PGPClosedPretty Good Privacy - PKI implementation key format:
    2. ucl export -n md-signkey -o ./md-pubkey.pgp --format PGP

      Note
      The file starts with the -----BEGIN PGPClosedPretty Good Privacy - PKI implementation PUBLIC KEY BLOCK----- statement and ends with the -----END PGPClosedPretty Good Privacy - PKI implementation PUBLIC KEY BLOCK----- statement

    3. Import it into GPGClosedGNU Privacy Guard - PGP cryptography implementation key pubring:
    4. gpg --import --allow-non-selfsigned-uid ./md-pubkey.pgp

Signing and Verification

  1. Sign the repomd.xml file and encode its content using ASCII characters (--format PGPClosedPretty Good Privacy - PKI implementation-ARMOR). See GPG-compatible ucl sign.
  2. cd ./test/repodata
    ucl sign -n md-signkey --hash sha256 -i ./repomd.xml -o ./repomd.xml.asc --out-format PGP-ARMOR

    Note
    The file shall start with the -----BEGIN PGPClosedPretty Good Privacy - PKI implementation SIGNATURE----- statement and end with the -----END PGPClosedPretty Good Privacy - PKI implementation SIGNATURE----- statement

  3. Verify the signature:
  4. gpg --verify ./repomd.xml.asc ./repomd.xml