Introduction to Signature Certificates

openEuler supports two signature mechanisms: openPGP and CMS, which are used for different file types.

File TypeSignature TypeSignature Format
EFI filesauthenticodeCMS
Kernel module filesmodsigCMS
IMA digest listsmodsigCMS
RPM software packagesRPMopenPGP

openPGP Certificate Signing

openEuler uses openPGP certificates to sign RPM software packages. The signature certificates are released with the OS image. You can obtain certificates used by openEuler in either of the following ways:

Method 1: Download the certificate from the repository. For example, download the certificate of openEuler 24.03 LTS from the following address:

text
https://repo.openeuler.org/openEuler-24.03-LTS/OS/aarch64/RPM-GPG-KEY-openEuler

Method 2: Log in to the system and obtain the file from the specified path.

shell
cat /etc/pki/rpm-gpg/RPM-GPG-KEY-openEuler

CMS Certificate Signing

The openEuler signature platform uses a three-level certificate chain to manage signature private keys and certificates.

Certificates of different levels have different validity periods. The current plan is as follows:

TypeValidity Period
Root certificate30 years
Level-2 certificate10 years
Level-3 certificate3 years

The openEuler root certificate can be downloaded from the community certificate center.

text
https://www.openeuler.org/en/security/certificate-center/