Simplest Enterprise Continuous Integration Solutions

Saturday, January 12, 2013

Enterprise Linux: Enable GPG signature checking for custom RPM package

# after generated GPG key on EL5.x

[root@linux64-rpm-build-server ~]# uname -a
Linux linux64-rpm-build-server 2.6.32-100.0.19.el5 #1 SMP Fri Sep 17 17:51:41 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
[root@linux64-rpm-build-server ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.5 (Tikanga)

# make GPG public/private keys

[buildmaster@linux64-rpm-build-server ~]$ gpg --list-keys
/home/buildmaster/.gnupg/pubring.gpg
------------------------------------------
pub   1024D/49A8C4DE 2012-05-26
uid                  Build Master (RPM Development) <buildmaster@my-company-name.com>
sub   2048g/60FA8C11 2012-05-26[buildmaster@linux64-rpm-build-server ~]$ gpg --list-secret-keys
/home/buildmaster/.gnupg/secring.gpg
------------------------------------------
sec   1024D/49A8C4DE 2012-05-26
uid                  Build Master (RPM Development) <buildmaster@my-company-name.com>
ssb   2048g/60FA8C11 2012-05-26
[buildmaster@linux64-rpm-build-server ~]$ gpg --export-secret-key -a 49A8C4DE > MYCOMPANY-GPG-KEY.private
[buildmaster@linux64-rpm-build-server ~]$ gpg --export -a 49A8C4DE > MYCOMPANY-GPG-KEY.public
[buildmaster@linux64-rpm-build-server ~]$ file MYCOMPANY-GPG-KEY.public
MYCOMPANY-GPG-KEY.public: PGP armored data public key block
[buildmaster@linux64-rpm-build-server ~]$ file MYCOMPANY-GPG-KEY.private
MYCOMPANY-GPG-KEY.private: PGP armored data

# non-root user RPM build environment configuration

[buildmaster@linux64-rpm-build-server ~]$ echo "%_signature gpg" >> ~/.rpmmacros
[buildmaster@linux64-rpm-build-server ~]$ echo "%_gpg_name  Build Master" >> ~/.rpmmacros
[buildmaster@linux64-rpm-build-server ~]$ find /home/buildmaster/rpmbuild/
/home/buildmaster/rpmbuild/
/home/buildmaster/rpmbuild/RPMS
/home/buildmaster/rpmbuild/RPMS/x86_64
/home/buildmaster/rpmbuild/RPMS/noarch
/home/buildmaster/rpmbuild/RPMS/i686
/home/buildmaster/rpmbuild/BUILD
/home/buildmaster/rpmbuild/SOURCES
/home/buildmaster/rpmbuild/SPECS
/home/buildmaster/rpmbuild/SPECS/demo.spec
/home/buildmaster/rpmbuild/SRPMS

# example of demo.spec

[buildmaster@linux64-rpm-build-server ~]$ cat /home/buildmaster/rpmbuild/SPECS/demo.spec
#
# spec file for package 'name' (version 'v')
#
# The software is released as specified below.
#
Name: my-rpm-demo
Version: 2.1
Release: 120628
Summary: my-rpm-demo
Vendor: my-company-name
License: Free
URL: http://my-company-name.com
Group: Application
Prefix: /usr/local

%description
This RPM contains my-rpm-demo from my-company-name

%pre

%post

%preun

%files
%defattr(-,root,root)
%doc

/usr/local/my-rpm-demo

%changelog
* Sat Jul 28 2012 Build Master <buildmaster@my-company-name.com>
- Initial Spec File

# make sure non-root user has access

[root@linux64-rpm-build-server ~]# chmod -R 777 /usr/local/my-rpm-demo
[root@linux64-rpm-build-server ~]# chown -R buildmaster:buildmaster /usr/local/my-rpm-demo
[root@linux64-rpm-build-server ~]# cat /usr/local/my-rpm-demo/demo.txt
This is for testing

# non-root user build RPM

[buildmaster@linux64-rpm-build-server ~]$ rpmbuild -bb /home/buildmaster/rpmbuild/SPECS/demo.spec --target noarch
Building target platforms: noarch
Building for target noarch
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.88391
+ umask 022
+ cd /home/buildmaster/rpmbuild/BUILD
+ LANG=C
+ export LANG
+ unset DISPLAY
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.88391
+ umask 022
+ cd /home/buildmaster/rpmbuild/BUILD
+ LANG=C
+ export LANG
+ unset DISPLAY
+ exit 0
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.88391
+ umask 022
+ cd /home/buildmaster/rpmbuild/BUILD
+ LANG=C
+ export LANG
+ unset DISPLAY
+ /usr/lib/rpm/redhat/brp-compress
+ /usr/lib/rpm/redhat/brp-strip /usr/bin/strip
+ /usr/lib/rpm/redhat/brp-strip-static-archive /usr/bin/strip
+ /usr/lib/rpm/redhat/brp-strip-comment-note /usr/bin/strip /usr/bin/objdump
+ /usr/lib/rpm/brp-python-bytecompile
+ /usr/lib/rpm/redhat/brp-java-repack-jars
Processing files: my-rpm-demo-2.1-120628
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Checking for unpackaged file(s): /usr/lib/rpm/check-files %{buildroot}
Wrote: /home/buildmaster/rpmbuild/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.4351
+ umask 022
+ cd /home/buildmaster/rpmbuild/BUILD
+ exit 0

# YUM repo configuration via httpd

[root@mt-olinux64-y06 ~]# find /var/www/html/test-rpm/
/var/www/html/test-rpm/
/var/www/html/test-rpm/2u1
/var/www/html/test-rpm/2u1/el
/var/www/html/test-rpm/2u1/el/5
/var/www/html/test-rpm/2u1/el/5/RPMS
/var/www/html/test-rpm/2u1/el/5/RPMS/x86_64
/var/www/html/test-rpm/2u1/el/5/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm
/var/www/html/test-rpm/2u1/el/5/RPMS/i686
/var/www/html/test-rpm/2u1/el/6
/var/www/html/test-rpm/2u1/el/6/RPMS
/var/www/html/test-rpm/2u1/el/6/RPMS/x86_64
/var/www/html/test-rpm/2u1/el/6/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm
/var/www/html/test-rpm/2u1/el/6/RPMS/i686
[root@mt-olinux64-y06 html]# chown -R buildmaster:buildmaster /var/www/html/test-rpm/

# sign RPM

[buildmaster@linux64-rpm-build-server ~]$ rpm --resign /var/www/html/test-rpm/2u1/el/6/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm
Enter pass phrase:
Pass phrase is good.
/var/www/html/test-rpm/2u1/el/6/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm:
gpg: WARNING: standard input reopened
gpg: WARNING: standard input reopened

# check signed RPM Signature tag 

[buildmaster@linux64-rpm-build-server ~]$ rpm -qip /var/www/html/test-rpm/2u1/el/6/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm
warning: /var/www/html/test-rpm/2u1/el/6/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 49a8c4de
Name        : my-rpm-demo                  Relocations: /usr/local
Version     : 2.1                               Vendor: my-company-name
Release     : 120628                        Build Date: Tue 19 Jun 2012 02:13:39 PM EDT
Install Date: (not installed)               Build Host: linux64-rpm-build-server
Group       : Application                   Source RPM: my-rpm-demo-2.1-120628.src.rpm
Size        : 20                               License: Free
Signature   : DSA/SHA1, Tue 19 Jun 2012 04:00:43 PM EDT, Key ID 9a8f082149a8c4de
URL         : http://my-company-name.com
Summary     : my-rpm-demo
Description :
This RPM contains my-rpm-demo from my-company-name
[buildmaster@linux64-rpm-build-server ~]$ rpm --checksig --verbose /var/www/html/test-rpm/2u1/el/6/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm
/var/www/html/test-rpm/2u1/el/6/RPMS/noarch/my-rpm-demo-2.1-120628.noarch.rpm:
    Header V3 DSA signature: OK, key ID 49a8c4de
    Header SHA1 digest: OK (225ca746e87604d2bbe4dfaccb104ba79cfb21ec)
    MD5 digest: OK (fbda1a5b85a2b972c6390f9034ffce7e)
V3 DSA signature: OK, key ID 49a8c4de 

# install signed RPM on EL5.x

[root@el5.x-server ~]# uname -a
Linux linux64-rpm-build-server 2.6.32-100.0.19.el5 #1 SMP Fri Sep 17 17:51:41 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
[root@el5.x-server ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.5 (Tikanga)
[root@el5.x-server ~]# cat /etc/yum.repos.d/my.repo
[my-company-name-el-5]
name=(local yum repo of) my-company-name latest el 5
baseurl=http://my-company-name.com/test-rpm/2u1/el/5
gpgkey=http://my-company-name.com/test-rpm/MYCOMPANY-GPG-KEY
gpgcheck=1
enabled=1
[root@el5.x-server ~]# yum install my-rpm-demo
Loaded plugins: security
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package my-rpm-demo.noarch 0:2.1-120628 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================================================================================
Package                          Arch                        Version                            Repository                                 Size
=================================================================================================================================================
Installing:
my-rpm-demo                      noarch                      2.1-120628                         my-company-name-el-5                      2.2 k

Transaction Summary
=================================================================================================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 2.2 k
Is this ok [y/N]: y
Downloading Packages:
my-rpm-demo-2.1-120628.noarch.rpm                                                                                         | 2.2 kB     00:00
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 49a8c4de
my-company-name-el-6/gpgkey                                                                                               | 1.7 kB     00:00
Importing GPG key 0x49A8C4DE "Build Master (RPM Development) <buildmaster@my-company-name.com>" from http://my-company-name.com/test-rpm/MYCOMPANY-GPG-KEY
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : my-rpm-demo                                                                                                               1/1

Installed:
  my-rpm-demo.noarch 0:2.1-120628

Complete!
[root@el5.x-server ~]# rpm -qi my-rpm-demo
Name        : my-rpm-demo                  Relocations: /usr/local
Version     : 2.1                               Vendor: my-company-name
Release     : 120628                        Build Date: Tue 19 Jun 2012 02:13:39 PM EDT
Install Date: Tue 19 Jun 2012 04:11:39 PM EDT      Build Host: linux64-rpm-build-server
Group       : Application                   Source RPM: my-rpm-demo-2.1-120628.src.rpm
Size        : 20                               License: Free
Signature   : DSA/SHA1, Tue 19 Jun 2012 04:00:43 PM EDT, Key ID 9a8f082149a8c4de
URL         : http://my-company-name.com
Summary     : my-rpm-demo
Description :
This RPM contains my-rpm-demo from my-company-name

# install signed RPM on EL6.x

[root@el6.x-server ~]# uname -a
Linux ol6u3-y01 2.6.32-279.el6.x86_64 #1 SMP Thu Jun 21 15:00:18 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@el6.x-server ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.3 (Santiago)
[root@el6.x-server ~]# cat /etc/yum.repos.d/my.repo
[my-company-name-el-6]
name=(local yum repo of) my-company-name latest el 6
baseurl=http://my-company-name.com/test-rpm/2u1/el/6
gpgkey=http://my-company-name.com/test-rpm/MYCOMPANY-GPG-KEY
gpgcheck=1
enabled=1
[root@el6.x-server ~]# yum install my-rpm-demo
Loaded plugins: security
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package my-rpm-demo.noarch 0:2.1-120628 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================================================================================
Package                          Arch                        Version                            Repository                                 Size
=================================================================================================================================================
Installing:
my-rpm-demo                      noarch                      2.1-120628                         my-company-name-el-6                      2.2 k

Transaction Summary
=================================================================================================================================================
Install       1 Package(s)

Total download size: 2.2 k
Installed size: 20
Is this ok [y/N]: y
Downloading Packages:
my-rpm-demo-2.1-120628.noarch.rpm                                                                                         | 2.2 kB     00:00
warning: rpmts_HdrFromFdno: Header V3 DSA/SHA1 Signature, key ID 49a8c4de: NOKEY
Retrieving key from http://my-company-name.com/test-rpm/MYCOMPANY-GPG-KEY
Importing GPG key 0x49A8C4DE:
Userid: "Build Master (RPM Development) <buildmaster@my-company-name.com>"
From  : http://my-company-name.com/test-rpm/MYCOMPANY-GPG-KEY
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : my-rpm-demo-2.1-120628.noarch                                                                                                 1/1
  Verifying  : my-rpm-demo-2.1-120628.noarch                                                                                                 1/1

Installed:
  my-rpm-demo.noarch 0:2.1-120628

Complete!
[root@el6.x-server ~]# rpm -qi my-rpm-demo
Name        : my-rpm-demo                  Relocations: /usr/local
Version     : 2.1                               Vendor: my-company-name
Release     : 120628                        Build Date: Tue 19 Jun 2012 02:13:39 PM EDT
Install Date: Tue 19 Jun 2012 04:14:24 PM EDT      Build Host: linux64-rpm-build-server
Group       : Application                   Source RPM: my-rpm-demo-2.1-120628.src.rpm
Size        : 20                               License: Free
Signature   : DSA/SHA1, Tue 19 Jun 2012 04:00:43 PM EDT, Key ID 9a8f082149a8c4de
URL         : http://my-company-name.com
Summary     : my-rpm-demo
Description :


This RPM contains my-rpm-demo from my-company-name

No comments:

Post a Comment