Need information on RPM signing
Hello All I need to sign RPM using X509 Certificate and save the signatures (signature file ) along with the RPM package . 1. Is there any way can i do that ? 2. How can i save the these signature and any other certificates (X 509) and being not part of CPIO archive ? Thanks in advance regards srinivasan
Re: Need information on RPM signing
Hi Jeffrey Thanks for the information. It was really helpful I'm planning to go with the first approach (Signing Entire *.rpm Package and prepending the signature to rpm). Yes , I will sign and verify CPIO payload outside of RPM . Is there any way that i can prepend/append information to Built RPM file ? Thanks in advance regards srinivasan regards srini On Tue, Apr 14, 2015 at 8:47 PM, Jeffrey Johnson n3...@me.com wrote: On Apr 14, 2015, at 4:07 AM, srinivasan j v srinivasanj...@gmail.com wrote: Hello All I need to sign RPM using X509 Certificate and save the signatures (signature file ) along with the RPM package . 1. Is there any way can i do that ? 2. How can i save the these signature and any other certificates (X 509) and being not part of CPIO archive ? I have answered this before, but here are the answers again. The easiest approach is to sign the entire *.rpm package using openssl/nss or other X.509 tool. Then prepend or append the X.509 signature (and any other certs you wish to include) to the existing *.rpm package. You will need to write your own sign/verify scripts using existing tools to create/extract the prepended/appended signature (and certificates) and sign/verify the original *.rpm file. You can do the same operation on just the cpio payload instead of the entire *.rpm package if you wish by using rpm2cpio (or rpm2cpio.sh) to extract the just the cpio payload of the *.rpm package. If you wish RPM itself to support X.509 formatted signatures/certificates, there are two choices: 1) convert existing GPG signature/pubkeys used in *.rpm to X.509 format that can be used by tools like openssl/nss outside of rpm. 2) implement X.509 directly in RPM. The conversion of GPG signatures/pubkeys has been done: e.g. see pgp.com implementations. Direct support for X.509 signatures is a month (or so) of effort to implement and test using system(3) invocations of existing tools in openssl/nss. External tool invocations add an unacceptable (to many, including me) and complex dependency on existing crypto toolkits: rpm is expected to Just Work installing in chroot’s and on empty disks. A direct implementation in RPM to parse X.509 certificates and validate certificate chains to (at least partially) remove the crypto toolkit dependency is considerably more complex. Meanwhile you have been asking for signed cpio payloads in the past. The easy approach outlined above, using existing tools like openssl/rpm2cpio to write a 2 scripts for signing/verifying the cpio payload outside of rpm is by far the easiest approach. hth 73 de Jeff Thanks in advance regards srinivasan
Re: Need information on RPM signing
On Apr 14, 2015, at 4:07 AM, srinivasan j v srinivasanj...@gmail.com wrote: Hello All I need to sign RPM using X509 Certificate and save the signatures (signature file ) along with the RPM package . 1. Is there any way can i do that ? 2. How can i save the these signature and any other certificates (X 509) and being not part of CPIO archive ? I have answered this before, but here are the answers again. The easiest approach is to sign the entire *.rpm package using openssl/nss or other X.509 tool. Then prepend or append the X.509 signature (and any other certs you wish to include) to the existing *.rpm package. You will need to write your own sign/verify scripts using existing tools to create/extract the prepended/appended signature (and certificates) and sign/verify the original *.rpm file. You can do the same operation on just the cpio payload instead of the entire *.rpm package if you wish by using rpm2cpio (or rpm2cpio.sh) to extract the just the cpio payload of the *.rpm package. If you wish RPM itself to support X.509 formatted signatures/certificates, there are two choices: 1) convert existing GPG signature/pubkeys used in *.rpm to X.509 format that can be used by tools like openssl/nss outside of rpm. 2) implement X.509 directly in RPM. The conversion of GPG signatures/pubkeys has been done: e.g. see pgp.com http://pgp.com/ implementations. Direct support for X.509 signatures is a month (or so) of effort to implement and test using system(3) invocations of existing tools in openssl/nss. External tool invocations add an unacceptable (to many, including me) and complex dependency on existing crypto toolkits: rpm is expected to Just Work installing in chroot’s and on empty disks. A direct implementation in RPM to parse X.509 certificates and validate certificate chains to (at least partially) remove the crypto toolkit dependency is considerably more complex. Meanwhile you have been asking for signed cpio payloads in the past. The easy approach outlined above, using existing tools like openssl/rpm2cpio to write a 2 scripts for signing/verifying the cpio payload outside of rpm is by far the easiest approach. hth 73 de Jeff Thanks in advance regards srinivasan
Re: Need information on RPM signing
On Apr 14, 2015, at 12:37 PM, srinivasan j v srinivasanj...@gmail.com wrote: Hi Jeffrey Thanks for the information. It was really helpful I'm planning to go with the first approach (Signing Entire *.rpm Package and prepending the signature to rpm). Yes , I will sign and verify CPIO payload outside of RPM . Is there any way that i can prepend/append information to Built RPM file ? Thanks in advance I’m just suggesting using cat(1) to merge 2 files. There are magic numbers for the rpm headers that can be used to find the end of the signature/certificates while parsing. I’d duggest prepending so that a package can be handled in a single pass (but that may not be as useful in scripting as it is in rpm itself: a package can be read and installed in a single “streaming” pass because the signature is prepended rather than appended). hth 73 de Jeff regards srinivasan regards srini On Tue, Apr 14, 2015 at 8:47 PM, Jeffrey Johnson n3...@me.com mailto:n3...@me.com wrote: On Apr 14, 2015, at 4:07 AM, srinivasan j v srinivasanj...@gmail.com mailto:srinivasanj...@gmail.com wrote: Hello All I need to sign RPM using X509 Certificate and save the signatures (signature file ) along with the RPM package . 1. Is there any way can i do that ? 2. How can i save the these signature and any other certificates (X 509) and being not part of CPIO archive ? I have answered this before, but here are the answers again. The easiest approach is to sign the entire *.rpm package using openssl/nss or other X.509 tool. Then prepend or append the X.509 signature (and any other certs you wish to include) to the existing *.rpm package. You will need to write your own sign/verify scripts using existing tools to create/extract the prepended/appended signature (and certificates) and sign/verify the original *.rpm file. You can do the same operation on just the cpio payload instead of the entire *.rpm package if you wish by using rpm2cpio (or rpm2cpio.sh) to extract the just the cpio payload of the *.rpm package. If you wish RPM itself to support X.509 formatted signatures/certificates, there are two choices: 1) convert existing GPG signature/pubkeys used in *.rpm to X.509 format that can be used by tools like openssl/nss outside of rpm. 2) implement X.509 directly in RPM. The conversion of GPG signatures/pubkeys has been done: e.g. see pgp.com http://pgp.com/ implementations. Direct support for X.509 signatures is a month (or so) of effort to implement and test using system(3) invocations of existing tools in openssl/nss. External tool invocations add an unacceptable (to many, including me) and complex dependency on existing crypto toolkits: rpm is expected to Just Work installing in chroot’s and on empty disks. A direct implementation in RPM to parse X.509 certificates and validate certificate chains to (at least partially) remove the crypto toolkit dependency is considerably more complex. Meanwhile you have been asking for signed cpio payloads in the past. The easy approach outlined above, using existing tools like openssl/rpm2cpio to write a 2 scripts for signing/verifying the cpio payload outside of rpm is by far the easiest approach. hth 73 de Jeff Thanks in advance regards srinivasan