RPM Signature Verification
Overview
openEuler employs RPM for package management, adhering to the openPGP signature specification. openEuler 24.03 LTS SP1 enhances the open source RPM by adding support for SM2/3 algorithm-based signature generation and verification.
The following packages have been enhanced for SM algorithm capabilities:
- GnuPG: The
gpg
CLI tool now supports generating SM signatures. - RPM: RPM can now invoke
gpg
commands and openSSL APIs for SM signature generation and verification. - openSSL: SM signature verification is supported (already supported in the open source version).
Prerequisites
The following or later versions of gnupg2, libgcrypt, and rpm packages must be installed:
sh$ rpm -qa libgcrypt libgcrypt-1.10.2-3.oe2403sp1.x86_64 $ rpm -qa gnupg2 gnupg2-2.4.3-5.oe2403sp1.x86_64 $ rpm -qa rpm rpm-4.18.2-20.oe2403sp1.x86_64
ECDSA signing and verification are limited to SM2.
Usage
Generate a key.
Method 1:
shgpg --full-generate-key --expert
Method 2:
shgpg --quick-generate-key <key identifier> sm2p256v1
You will be prompted to enter a password. This password is required for subsequent key operations or signing. Pressing Enter without entering a password means no password is set.
Export the certificate.
shgpg -o <certificate path> --export <key identifier>
Enable the macro for SM3 hash algorithm and SM2 algorithm.
sh$ vim /usr/lib/rpm/macros %_enable_sm2p256v1_sm3_algo 1
Import the certificate into the RPM database.
shrpm --import <certificate path>
Write the macros required for signing.
sh$ vim ~/.rpmmacros %_signature gpg %_gpg_path /root/.gnupg %_gpg_name <key identifier> %_gpgbin /usr/bin/gpg2 %__gpg_sign_cmd %{shescape:%{__gpg}} \ gpg --no-verbose --no-armor --no-secmem-warning --passphrase-file /root/passwd \ %{?_gpg_digest_algo:--digest-algo=%{_gpg_digest_algo}} \ %{?_gpg_sign_cmd_extra_args} \ %{?_gpg_name:-u %{shescape:%{_gpg_name}}} \ -sbo %{shescape:%{?__signature_filename}} \ %{?__plaintext_filename:-- %{shescape:%{__plaintext_filename}}}
%__gpg_sign_cmd
includes the default configuration with the addition of--passphrase-file /root/passwd
. The passwd file contains the password. This addition is required only If a password is set in step 1.Generate a RPM package signature.
shrpmsign --addsign <RPM file>
Verify the RPM package signature.
shrpm -Kv <RPM file>
If the output shows "Header V4 ECDSA/SM3 Signature" and "OK," the signature verification is successful.