深入理解 Yum 的 gpgcheck
学习教程
Secure distribution of RPM packages
实验测试 gpg
创建私有库 privateRepo
mkdir /home/privateRepo/上传未签名的 rpm 包至/home/privateRepo/
rpm -pqi /home/privateRepo/jdk-10.0.1_linux-x64_bin.rpm Name : jdk-10.0.1 Relocations: /usr/java Version : 10.0.1 Vendor: Oracle America Release : ga Build Date: Tue 27 Mar 2018 01:24:18 AM GMT Install Date: (not installed) Build Host: sca00ida.us.oracle.com Group : Development/Tools Source RPM: jdk-10.0.1-10.0.1-ga.src.rpm Size : 578524676 License: http://java.com/license Signature : (none) URL : URL_REF Summary : Java Platform Standard Edition Development Kit Description : The Java Platform Standard Edition Development Kit (JDK) includes both the runtime environment (Java Virtual Machine, the Java platform classes and supporting files) and development tools (compilers, debuggers,添加 gpgcheck
vi /etc/yum.repos.d/privateRepo.repo [privateRepo] name=privateRepo-gpg-test baseurl=file:///home/privateRepo enabled=1 gpgcheck=1构建索引
createrepo /home/privateRepo/ Spawning worker 0 with 1 pkgs Workers Finished Gathering worker results Saving Primary metadata Saving file lists metadata Saving other metadata Generating sqlite DBs Sqlite DBs completeyum 查询
yum clean all yum list|grep jdk jdk-10.0.1.x86_64 2000:10.0.1-ga privateRepo安装 jdk-10.0.1.x86_64
yum install jdk-10.0.1.x86_64 Loaded plugins: fastestmirror, post-transaction-actions Setting up Install Process Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package jdk-10.0.1.x86_64 2000:10.0.1-ga will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================ Installing: jdk-10.0.1 x86_64 2000:10.0.1-ga privateRepo 306 M Transaction Summary ============================================================================================================================================ Install 1 Package(s) Total download size: 306 M Installed size: 552 M Is this ok [y/N]: y Downloading Packages: Package jdk-10.0.1_linux-x64_bin.rpm is not signed- 安装失败
加签名
gpg --list-keys /home/nobody/.gnupg/pubring.gpg ------------------------------- pub 2048R/230C0099 2016-03-15 uid Gavin Ni <guani@cisco.com> sub 2048R/3E679AEF 2016-03-15gpg --export -a guani@cisco.com > /home/nobody/privateRepo.keyrpm --define '_gpg_name Gavin Ni' --define '_gpg_path /home/nobody/.gnupg' --addsign /home/privateRepo/jdk-10.0.1_linux-x64_bin.rpm Enter pass phrase: gpg: WARNING: unsafe ownership on homedir `/home/nobody/.gnupg' Pass phrase is good. /home/privateRepo/jdk-10.0.1_linux-x64_bin.rpm: gpg: WARNING: unsafe ownership on homedir `/home/nobody/.gnupg' gpg: WARNING: unsafe ownership on homedir `/home/nobody/.gnupg'验证 sign
rpm -pqi /home/privateRepo/jdk-10.0.1_linux-x64_bin.rpm Name : jdk-10.0.1 Relocations: /usr/java Version : 10.0.1 Vendor: Oracle America Release : ga Build Date: Tue 27 Mar 2018 01:24:18 AM GMT Install Date: (not installed) Build Host: sca00ida.us.oracle.com Group : Development/Tools Source RPM: jdk-10.0.1-10.0.1-ga.src.rpm Size : 578524676 License: http://java.com/license Signature : RSA/SHA1, Thu 30 Aug 2018 03:30:08 AM GMT, Key ID 952e62c3230c0099 URL : URL_REF Summary : Java Platform Standard Edition Development Kit Description : The Java Platform Standard Edition Development Kit (JDK) includes both the runtime environment (Java Virtual Machine, the Java platform classes and supporting files) and development tools (compilers, debuggers, tool libraries and other tools).安装,不过安装失败
yum install jdk-10.0.1.x86_64 Loaded plugins: fastestmirror, post-transaction-actions Setting up Install Process Loading mirror speeds from cached hostfile qa_mav_centos6 | 1.2 kB 00:00 qa_mav_centos6.7_noarch | 1.2 kB 00:00 qa_mav_centos6.7_x86_64 | 1.2 kB 00:00 Resolving Dependencies --> Running transaction check ---> Package jdk-10.0.1.x86_64 2000:10.0.1-ga will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================ Installing: jdk-10.0.1 x86_64 2000:10.0.1-ga privateRepo 306 M Transaction Summary ============================================================================================================================================ Install 1 Package(s) Total download size: 306 M Installed size: 552 M Is this ok [y/N]: y Downloading Packages: Error Downloading Packages:2000:jdk-10.0.1-10.0.1-ga.x86_64: failure: jdk-10.0.1_linux-x64_bin.rpm from privateRepo: [Errno 256] No more mirrors to try.需要重新 createrepo
createrepo /home/privateRepo/仍然安装失败
[root@mtRobincmc001 yum.repos.d]# yum install jdk-10.0.1.x86_64 Loaded plugins: fastestmirror, post-transaction-actions Setting up Install Process Loading mirror speeds from cached hostfile qa_mav_centos6 | 1.2 kB 00:00 qa_mav_centos6.7_noarch | 1.2 kB 00:00 qa_mav_centos6.7_x86_64 | 1.2 kB 00:00 Resolving Dependencies --> Running transaction check ---> Package jdk-10.0.1.x86_64 2000:10.0.1-ga will be installed --> Finished Dependency Resolution Dependencies Resolved Package Arch Version Repository Size ============================================================================================================================================ Installing: jdk-10.0.1 x86_64 2000:10.0.1-ga privateRepo 306 M Transaction Summary ============================================================================================================================================ Install 1 Package(s) Total download size: 306 M Installed size: 552 M Is this ok [y/N]: y Downloading Packages: jdk-10.0.1_linux-x64_bin.rpm | 306 MB 00:04 warning: rpmts_HdrFromFdno: Header V4 RSA/SHA1 Signature, key ID 230c0099: NOKEY Public key for jdk-10.0.1_linux-x64_bin.rpm is not installed导入public key
gpg --export -a rpmsign@example.com > /home/privateRepo/example-com.keyyum添加gpgkey
[privateRepo] name=privateRepo-gpg-test baseurl=file:///home/privateRepo enabled=1 gpgcheck=1 gpgkey=file:///home/privateRepo/privateRepo.key再次安装,安装成功
root@mtRobincmc001 ~]# yum install jdk Loaded plugins: fastestmirror, post-transaction-actions Setting up Install Process Loading mirror speeds from cached hostfile qa_mav_centos6 | 1.2 kB 00:00 qa_mav_centos6.7_noarch | 1.2 kB 00:00 qa_mav_centos6.7_x86_64 | 1.2 kB 00:00 Resolving Dependencies --> Running transaction check ---> Package jdk-10.0.1.x86_64 2000:10.0.1-ga will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================ Installing: jdk-10.0.1 x86_64 2000:10.0.1-ga privateRepo 306 M Transaction Summary ============================================================================================================================================ Install 1 Package(s) Total download size: 306 M Installed size: 552 M Is this ok [y/N]: y Downloading Packages: jdk-10.0.1_linux-x64_bin.rpm | 306 MB 00:03 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 2000:jdk-10.0.1-10.0.1-ga.x86_64 1/1 Unpacking JAR files... plugin.jar... javaws.jar... deploy.jar... cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/16x16/apps/sun-java.png': No such file or directory cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/16x16/apps/sun-javaws.png': No such file or directory cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/48x48/apps/sun-java.png': No such file or directory cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/48x48/apps/sun-javaws.png': No such file or directory cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/48x48/apps/sun-java.png': No such file or directory cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/48x48/apps/sun-javaws.png': No such file or directory Running post transaction command: /opt/mav/bin/mav-event "yum_event" "install jdk-10.0.1-10.0.1-ga.x86_64 @ %DTE% from privateRepo 2000" Verifying : 2000:jdk-10.0.1-10.0.1-ga.x86_64 1/1 Installed: jdk-10.0.1.x86_64 2000:10.0.1-ga Complete!总结
- /etc/yum.repos.d/privateRepo.repo 作用域为 yum 客户端
- privateRepo.repo 中的 gpgcheck=1 只影响 install 环节,不影响服务器端的索引建立(createrepo),不过 加签后,需要重新 createrepo
安全的 RPM 私有库
- 用 https 下载 RPM
- 用 gpg 给 RPM 加签
- 确保 gpgcheck=1
- 用 https 下载 gpg 的公钥 public key
