Server

Version: 25.03
Document Center
Server
RPM Signature Verification

RPM Signature Verification

Overview

openEuler employs RPM for package management, adhering to the openPGP signature specification. openEuler 24.03 LTS SP1 enhances the open source RPM by adding support for SM2/3 algorithm-based signature generation and verification.

The following packages have been enhanced for SM algorithm capabilities:

  • GnuPG: The gpg CLI tool now supports generating SM signatures.
  • RPM: RPM can now invoke gpg commands and openSSL APIs for SM signature generation and verification.
  • openSSL: SM signature verification is supported (already supported in the open source version).

Prerequisites

  1. The following or later versions of gnupg2, libgcrypt, and rpm packages must be installed:

    sh
    $ rpm -qa libgcrypt
libgcrypt-1.10.2-3.oe2403sp1.x86_64

$ rpm -qa gnupg2
gnupg2-2.4.3-5.oe2403sp1.x86_64

$ rpm -qa rpm
rpm-4.18.2-20.oe2403sp1.x86_64

  2. ECDSA signing and verification are limited to SM2.

Usage

  1. Generate a key.

    Method 1:

    sh
    gpg --full-generate-key --expert

    Method 2:

    sh
    gpg --quick-generate-key <key identifier> sm2p256v1

    You will be prompted to enter a password. This password is required for subsequent key operations or signing. Pressing Enter without entering a password means no password is set.

  2. Export the certificate.

    sh
    gpg -o <certificate path> --export <key identifier>

  3. Enable the macro for SM3 hash algorithm and SM2 algorithm.

    sh
    $ vim /usr/lib/rpm/macros
%_enable_sm2p256v1_sm3_algo     1

  4. Import the certificate into the RPM database.

    sh
    rpm --import <certificate path>

  5. Write the macros required for signing.

    sh
    $ vim ~/.rpmmacros
%_signature gpg
%_gpg_path /root/.gnupg
%_gpg_name <key identifier>
%_gpgbin /usr/bin/gpg2

%__gpg_sign_cmd                 %{shescape:%{__gpg}} \
        gpg --no-verbose --no-armor --no-secmem-warning --passphrase-file /root/passwd \
        %{?_gpg_digest_algo:--digest-algo=%{_gpg_digest_algo}} \
        %{?_gpg_sign_cmd_extra_args} \
        %{?_gpg_name:-u %{shescape:%{_gpg_name}}} \
        -sbo %{shescape:%{?__signature_filename}} \
        %{?__plaintext_filename:-- %{shescape:%{__plaintext_filename}}}

    %__gpg_sign_cmd includes the default configuration with the addition of --passphrase-file /root/passwd. The passwd file contains the password. This addition is required only If a password is set in step 1.

  6. Generate a RPM package signature.

    sh
    rpmsign --addsign <RPM file>

  7. Verify the RPM package signature.

    sh
    rpm -Kv <RPM file>

    If the output shows "Header V4 ECDSA/SM3 Signature" and "OK," the signature verification is successful.

View source on Gitee

Copyright © 2025 openEuler. All rights reserved.

Licensed under the MulanPSL2

品牌隐私政策法律声明关于cookies