> On Apr 14, 2015, at 4:07 AM, srinivasan j v <srinivasanj...@gmail.com> wrote: > > Hello All > I need to sign RPM using X509 Certificate and save the signatures (signature > file ) along with the RPM package . > > 1. Is there any way can i do that ? > 2. How can i save the these signature and any other certificates (X > 509) and being not part of CPIO archive ? >
I have answered this before, but here are the answers again. The easiest approach is to sign the entire *.rpm package using openssl/nss or other X.509 tool. Then prepend or append the X.509 signature (and any other certs you wish to include) to the existing *.rpm package. You will need to write your own sign/verify scripts using existing tools to create/extract the prepended/appended signature (and certificates) and sign/verify the original *.rpm file. You can do the same operation on just the cpio payload instead of the entire *.rpm package if you wish by using rpm2cpio (or rpm2cpio.sh) to extract the just the cpio payload of the *.rpm package. If you wish RPM itself to support X.509 formatted signatures/certificates, there are two choices: 1) convert existing GPG signature/pubkeys used in *.rpm to X.509 format that can be used by tools like openssl/nss outside of rpm. 2) implement X.509 directly in RPM. The conversion of GPG signatures/pubkeys has been done: e.g. see pgp.com <http://pgp.com/> implementations. Direct support for X.509 signatures is a month (or so) of effort to implement and test using system(3) invocations of existing tools in openssl/nss. External tool invocations add an unacceptable (to many, including me) and complex dependency on existing crypto toolkits: rpm is expected to Just Work installing in chroot’s and on empty disks. A direct implementation in RPM to parse X.509 certificates and validate certificate chains to (at least partially) remove the crypto toolkit dependency is considerably more complex. Meanwhile you have been asking for signed cpio payloads in the past. The easy approach outlined above, using existing tools like openssl/rpm2cpio to write a 2 scripts for signing/verifying the cpio payload outside of rpm is by far the easiest approach. hth 73 de Jeff > Thanks in advance > > regards > srinivasan