Introduction to Signature Certificates
openEuler supports two signature mechanisms: openPGP and CMS, which are used for different file types.
File Type | Signature Type | Signature Format |
---|---|---|
EFI files | authenticode | CMS |
Kernel module files | modsig | CMS |
IMA digest lists | modsig | CMS |
RPM software packages | RPM | openPGP |
openPGP Certificate Signing
openEuler uses openPGP certificates to sign RPM software packages. The signature certificates are released with the OS image. You can obtain certificates used by openEuler in either of the following ways:
Method 1: Download the certificate from the repository. For example, download the certificate of openEuler 24.03 LTS from the following address:
https://repo.openeuler.org/openEuler-24.03-LTS/OS/aarch64/RPM-GPG-KEY-openEuler
Method 2: Log in to the system and obtain the file from the specified path.
cat /etc/pki/rpm-gpg/RPM-GPG-KEY-openEuler
CMS Certificate Signing
The openEuler signature platform uses a three-level certificate chain to manage signature private keys and certificates.
Certificates of different levels have different validity periods. The current plan is as follows:
Type | Validity Period |
---|---|
Root certificate | 30 years |
Level-2 certificate | 10 years |
Level-3 certificate | 3 years |
The openEuler root certificate can be downloaded from the community certificate center.
https://www.openeuler.org/en/security/certificate-center/