> On Apr 14, 2015, at 12:37 PM, srinivasan j v <srinivasanj...@gmail.com> wrote: > > Hi Jeffrey > Thanks for the information. It was really helpful > I'm planning to go with the first approach (Signing Entire *.rpm Package and > prepending the signature to rpm). > > Yes , I will sign and verify CPIO payload outside of RPM . > > Is there any way that i can prepend/append information to Built RPM file ? > Thanks in advance >
I’m just suggesting using cat(1) to merge 2 files. There are magic numbers for the rpm headers that can be used to find the end of the signature/certificates while parsing. I’d duggest prepending so that a package can be handled in a single pass (but that may not be as useful in scripting as it is in rpm itself: a package can be read and installed in a single “streaming” pass because the signature is prepended rather than appended). hth 73 de Jeff > regards > srinivasan > > regards > srini > > On Tue, Apr 14, 2015 at 8:47 PM, Jeffrey Johnson <n3...@me.com > <mailto:n3...@me.com>> wrote: > >> On Apr 14, 2015, at 4:07 AM, srinivasan j v <srinivasanj...@gmail.com >> <mailto:srinivasanj...@gmail.com>> wrote: >> >> Hello All >> I need to sign RPM using X509 Certificate and save the signatures (signature >> file ) along with the RPM package . >> >> 1. Is there any way can i do that ? >> 2. How can i save the these signature and any other certificates (X >> 509) and being not part of CPIO archive ? >> > > I have answered this before, but here are the answers again. > > The easiest approach is to sign the entire *.rpm package using openssl/nss or > other X.509 tool. > > Then prepend or append the X.509 signature (and any other certs you wish to > include) > to the existing *.rpm package. > > You will need to write your own sign/verify scripts using existing tools to > create/extract the prepended/appended signature (and certificates) and > sign/verify the original *.rpm file. > > You can do the same operation on just the cpio payload instead of the entire > *.rpm package if you wish by using rpm2cpio (or rpm2cpio.sh) to extract the > just the cpio payload of the *.rpm package. > > If you wish RPM itself to support X.509 formatted signatures/certificates, > there are > two choices: > 1) convert existing GPG signature/pubkeys used in *.rpm to X.509 format > that > can be used by tools like openssl/nss outside of rpm. > 2) implement X.509 directly in RPM. > > The conversion of GPG signatures/pubkeys has been done: e.g. see pgp.com > <http://pgp.com/> > implementations. > > Direct support for X.509 signatures is a month (or so) of effort to implement > and test using system(3) invocations of existing tools in openssl/nss. > External > tool invocations add an unacceptable (to many, including me) and complex > dependency on > existing crypto toolkits: rpm is expected to Just Work installing in chroot’s > and > on empty disks. > > A direct implementation in RPM to parse X.509 certificates and validate > certificate > chains to (at least partially) remove the crypto toolkit dependency is > considerably > more complex. > > Meanwhile you have been asking for signed cpio payloads in the past. The easy > approach outlined above, using existing tools like openssl/rpm2cpio to write > a 2 scripts for signing/verifying the cpio payload outside of rpm is by far > the > easiest approach. > > hth > > 73 de Jeff > >> Thanks in advance >> >> regards >> srinivasan > >