RPM Signature Verification ​

Overview ​

openEuler employs RPM for package management, adhering to the openPGP signature specification. openEuler 24.03 LTS SP1 enhances the open source RPM by adding support for SM2/3 algorithm-based signature generation and verification.

The following packages have been enhanced for SM algorithm capabilities:

• GnuPG: The gpg CLI tool now supports generating SM signatures.
• RPM: RPM can now invoke gpg commands and openSSL APIs for SM signature generation and verification.
• openSSL: SM signature verification is supported (already supported in the open source version).

Prerequisites ​

1. The following or later versions of gnupg2, libgcrypt, and rpm packages must be installed:

   sh

   $ rpm -qa libgcrypt
   libgcrypt-1.10.2-3.oe2403sp1.x86_64
   
   $ rpm -qa gnupg2
   gnupg2-2.4.3-5.oe2403sp1.x86_64
   
   $ rpm -qa rpm
   rpm-4.18.2-20.oe2403sp1.x86_64

2. ECDSA signing and verification are limited to SM2.

Usage ​

1. Generate a key.

   Method 1:

   sh

   gpg --full-generate-key --expert

   Method 2:

   sh

   gpg --quick-generate-key <key identifier> sm2p256v1

   You will be prompted to enter a password. This password is required for subsequent key operations or signing. Pressing Enter without entering a password means no password is set.

2. Export the certificate.

   sh

   gpg -o <certificate path> --export <key identifier>

3. Enable the macro for SM3 hash algorithm and SM2 algorithm.

   sh

   $ vim /usr/lib/rpm/macros
   %_enable_sm2p256v1_sm3_algo     1

4. Import the certificate into the RPM database.

   sh

   rpm --import <certificate path>

5. Write the macros required for signing.

   sh

   $ vim ~/.rpmmacros
   %_signature gpg
   %_gpg_path /root/.gnupg
   %_gpg_name <key identifier>
   %_gpgbin /usr/bin/gpg2
   
   %__gpg_sign_cmd                 %{shescape:%{__gpg}} \
           gpg --no-verbose --no-armor --no-secmem-warning --passphrase-file /root/passwd \
           %{?_gpg_digest_algo:--digest-algo=%{_gpg_digest_algo}} \
           %{?_gpg_sign_cmd_extra_args} \
           %{?_gpg_name:-u %{shescape:%{_gpg_name}}} \
           -sbo %{shescape:%{?__signature_filename}} \
           %{?__plaintext_filename:-- %{shescape:%{__plaintext_filename}}}

   %__gpg_sign_cmd includes the default configuration with the addition of --passphrase-file /root/passwd. The passwd file contains the password. This addition is required only If a password is set in step 1.

6. Generate a RPM package signature.

   sh

   rpmsign --addsign <RPM file>

7. Verify the RPM package signature.

   sh

   rpm -Kv <RPM file>

   If the output shows "Header V4 ECDSA/SM3 Signature" and "OK," the signature verification is successful.