RPM Signature Verification

Overview

openEuler employs RPM for package management, adhering to the openPGP signature specification. openEuler 24.03 LTS SP1 enhances the open source RPM by adding support for SM2/3 algorithm-based signature generation and verification.

The following packages have been enhanced for SM algorithm capabilities:

  • GnuPG: The gpg CLI tool now supports generating SM signatures.
  • RPM: RPM can now invoke gpg commands and openSSL APIs for SM signature generation and verification.
  • openSSL: SM signature verification is supported (already supported in the open source version).

Prerequisites

  1. The following or later versions of gnupg2, libgcrypt, and rpm packages must be installed:

    sh
    $ rpm -qa libgcrypt
    libgcrypt-1.10.2-3.oe2403sp1.x86_64
    
    $ rpm -qa gnupg2
    gnupg2-2.4.3-5.oe2403sp1.x86_64
    
    $ rpm -qa rpm
    rpm-4.18.2-20.oe2403sp1.x86_64
  2. ECDSA signing and verification are limited to SM2.

Usage

  1. Generate a key.

    Method 1:

    sh
    gpg --full-generate-key --expert

    Method 2:

    sh
    gpg --quick-generate-key <key identifier> sm2p256v1

    You will be prompted to enter a password. This password is required for subsequent key operations or signing. Pressing Enter without entering a password means no password is set.

  2. Export the certificate.

    sh
    gpg -o <certificate path> --export <key identifier>
  3. Enable the macro for SM3 hash algorithm and SM2 algorithm.

    sh
    $ vim /usr/lib/rpm/macros
    %_enable_sm2p256v1_sm3_algo     1
  4. Import the certificate into the RPM database.

    sh
    rpm --import <certificate path>
  5. Write the macros required for signing.

    sh
    $ vim ~/.rpmmacros
    %_signature gpg
    %_gpg_path /root/.gnupg
    %_gpg_name <key identifier>
    %_gpgbin /usr/bin/gpg2
    
    %__gpg_sign_cmd                 %{shescape:%{__gpg}} \
            gpg --no-verbose --no-armor --no-secmem-warning --passphrase-file /root/passwd \
            %{?_gpg_digest_algo:--digest-algo=%{_gpg_digest_algo}} \
            %{?_gpg_sign_cmd_extra_args} \
            %{?_gpg_name:-u %{shescape:%{_gpg_name}}} \
            -sbo %{shescape:%{?__signature_filename}} \
            %{?__plaintext_filename:-- %{shescape:%{__plaintext_filename}}}

    %__gpg_sign_cmd includes the default configuration with the addition of --passphrase-file /root/passwd. The passwd file contains the password. This addition is required only If a password is set in step 1.

  6. Generate a RPM package signature.

    sh
    rpmsign --addsign <RPM file>
  7. Verify the RPM package signature.

    sh
    rpm -Kv <RPM file>

    If the output shows "Header V4 ECDSA/SM3 Signature" and "OK," the signature verification is successful.