> On Apr 14, 2015, at 4:07 AM, srinivasan j v <srinivasanj...@gmail.com> wrote:
>
> Hello All
> I need to sign RPM using X509 Certificate and save the signatures (signature
> file ) along with the RPM package .
>
> 1. Is there any way can i do that ?
> 2. How can i save the these signature and any other certificates (X
> 509) and being not part of CPIO archive ?
>
I have answered this before, but here are the answers again.
The easiest approach is to sign the entire *.rpm package using openssl/nss or
other X.509 tool.
Then prepend or append the X.509 signature (and any other certs you wish to
include)
to the existing *.rpm package.
You will need to write your own sign/verify scripts using existing tools to
create/extract the prepended/appended signature (and certificates) and
sign/verify the original *.rpm file.
You can do the same operation on just the cpio payload instead of the entire
*.rpm package if you wish by using rpm2cpio (or rpm2cpio.sh) to extract the
just the cpio payload of the *.rpm package.
If you wish RPM itself to support X.509 formatted signatures/certificates,
there are
two choices:
1) convert existing GPG signature/pubkeys used in *.rpm to X.509 format
that
can be used by tools like openssl/nss outside of rpm.
2) implement X.509 directly in RPM.
The conversion of GPG signatures/pubkeys has been done: e.g. see pgp.com
<http://pgp.com/>
implementations.
Direct support for X.509 signatures is a month (or so) of effort to implement
and test using system(3) invocations of existing tools in openssl/nss. External
tool invocations add an unacceptable (to many, including me) and complex
dependency on
existing crypto toolkits: rpm is expected to Just Work installing in chroot’s
and
on empty disks.
A direct implementation in RPM to parse X.509 certificates and validate
certificate
chains to (at least partially) remove the crypto toolkit dependency is
considerably
more complex.
Meanwhile you have been asking for signed cpio payloads in the past. The easy
approach outlined above, using existing tools like openssl/rpm2cpio to write
a 2 scripts for signing/verifying the cpio payload outside of rpm is by far the
easiest approach.
hth
73 de Jeff
> Thanks in advance
>
> regards
> srinivasan
