ubuntu 建立本地deb軟體包時,對Release檔案做gpg簽名
Ubuntu 16.04 (xenial) 在將本地deb軟體包建立repo時候,跟14.04以前的版本相比,強制要求gpg對Release檔案簽名,否則無法使用:
Reading package lists... Done
W: The repository 'http://10.245.254.93/linux/ubuntu/updates/xenial ./ Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
這時候, gpg 軟體登場了。
1.1 GPG 建立的密匙,可供加密檔案及簽名檔案使用, 也可建立專供簽名檔案使用的密匙。
金鑰建立過程中,需要使用到足夠的隨機數(random),可先行安裝rng-tools, 該工具可以常駐後臺的方式, 生成隨機數,避免gpg金鑰建立過程中的長時間等待問題
# apt-get install rng-tools
# rngd -r /dev/urandom
# gpg --gen-key
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <[email protected]>"
Real name: Ubuntu Local Archive Automatic Signing Key
Email address: [email protected]ispc.cn
Comment: 2017
You selected this USER-ID:
"Ubuntu Local Archive Automatic Signing Key (2017) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
gpg: gpg-agent is not available in this session
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
......+++++
+++++
gpg: key 7A1E912A marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
pub 4096R/7A1E912A 2017-03-15
Key fingerprint = A11A 69B7 15AB B83A C6AC 4282 02FE 7153 F5A2 4A14
uid Ubuntu Local Archive Automatic Signing Key (2017) <[email protected]ispc.cn
1.2 匯出gpg公鑰和私鑰,並放到可下載的地方,比如某個web
私鑰,供Server端,對release檔案簽名使用
公鑰,需在Ubuntu client 匯入,供apt-get使用
# gpg --list-key
# gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 4096R/7A1E912A 2017-03-02 [expires: 2022-03-01]
uid Ubuntu Local Archive Automatic Signing Key (2017) <mac@ispc.cn>
# gpg -a --export 7A1E912A > Ubuntu_Local_Archive_Automatic_Signing_Key_2017.pub
# gpg -a --export-secret-keys 7A1E912A > Ubuntu_Local_Archive_Automatic_Signing_Key_2017.sec
2. 建立Package file
# rm -f Packages.gz Packages
# apt-ftparchive packages . | gzip -9c > Packages.gz
# gunzip -k Packages.gz
使用下面這種internet上常見的方式,必須先安裝dpkg-dev軟體包, 與使用apt-ftparchive 方式,可一樣達到目的,但apt-ftparchive是系統預設已經安裝的軟體包,不需要再安裝,個人認為有優勢
(但不能檢查並提示同名軟體包的不同版本。解決辦法是,提前在deb軟體包尚在目錄內/var/cache/apt/archives的時候,使用apt-get autoclean命令,清除老版本軟體包)
# dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz
3. 建立release file
# apt-ftparchive release ./ > Release
# gpg -abs --default-key 7A1E912A -o Release.gpg Release
# gpg --clearsign --default-key 7A1E912A -o InRelease Release
4. 對release file簽名
# gpg -abs --default-key 7A1E912A -o Release.gpg Release
# gpg --clearsign --default-key 7A1E912A -o InRelease Release
5. 修改ubuntu client sources.list
# echo "deb [arch=amd64] http://10.245.254.93/linux/ubuntu/updates/xenial ./" >> /etc/apt/sources.list
6. 下載並匯入給release file 簽名的公鑰
#wget http://10.245.254.93/linux/ubuntu/updates/gpg/Ubuntu_Local_Archive_Automatic_Signing_Key_2017.pub
# apt-key add Ubuntu_Local_Archive_Automatic_Signing_Key_2017.pub
7. 可以使用了
# apt-get udpate
【重要】
GPG在給檔案簽名時候,預設使用SHA1演算法,導致在後續使用過程中,出現下述告警:
Release.gpg: Signature by key ADAF3EDBBB0035413FD4FEDBB3E7CC5C7A1E912A uses weak digest algorithm (SHA1)
解決辦法:
http://apache.org/dev/openpgp.html
https://keyring.debian.org/creating-key.html
這2個比較權威的網站上的冗長的解釋,那是因為人家要做全面解釋介紹,步驟當然多點。
文章中提到的引數default-preference-list(預設偏好清單),並定義:SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed. 個人認為, 這裡定義的是可使用的加密演算法清單,而不是演算法順序, 誰在前誰在後,無關大雅。可在這裡定義,或者直接使用預設值,所以壓根不用關心這個步驟。
最後,只需要下面簡單步驟:
在給Releases檔案簽名前,修改~/.gnupg/gpg.conf, 定義引數personal-digest-preferences(the digest used for signing messages)為SHA256。
另SHA224,SHA256,SHA384,SHA512幾個選項,可根據需求隨意選擇,只要不用SHA1就好,要不你就又繞回去了:(
# echo "personal-digest-preferences SHA256" >> ~/.gnupg/gpg.conf
# gpg -abs --default-key 7A1E912A -o Release.gpg Release
also can use gpg command option, example:
# gpg -abs --default-key 7A1E912A --personal-digest-preferences SHA256 -o Release.gpg Release
-----------------------------
8. 指令碼方式使用
8.1 Server site
wget http://10.245.254.93/linux/ubuntu/updates/gpg/Ubuntu_Local_Archive_Automatic_Signing_Key_2017.sec
gpg --import Ubuntu_Local_Archive_Automatic_Signing_Key_2017.sec
echo "personal-digest-preferences SHA256" >> ~/.gnupg/gpg.conf
mkdir /opt/xenial
cp -rp /var/cache/apt/archives /opt/xenial
cd /opt/xenial
rm -rf Packages.gz Packages archives/lock archives/partial
apt-ftparchive packages . | gzip -9c > Packages.gz
gunzip -k Packages.gz
apt-ftparchive release ./ > Release
gpg -abs --default-key 7A1E912A --passphrase YourPasswd -o Release.gpg Release
gpg --clearsign --default-key 7A1E912A --passphrase YourPasswd -o InRelease Release
echo "deb [arch=amd64] file:///opt/xenial ./" >> /etc/apt/sources.list
apt-get update
8.2 Client site
echo "deb [arch=amd64] http://10.245.254.93/linux/ubuntu/updates/xenial ./" >> /etc/apt/sources.list
wget http://10.245.254.93/linux/ubuntu/updates/gpg/Ubuntu_Local_Archive_Automatic_Signing_Key_2017.pub
apt-key add Ubuntu_Local_Archive_Automatic_Signing_Key_2017.pub
apt-get update
補充:ubuntu apt-get 對軟體包索引,首先要求InRelease檔案,其次才去找Release、Release.gpg檔案; 這情況下, 其實只需要建立InRelease檔案(包含Release檔案和明文簽名)即可:
# gpg --clearsign --default-key 7A1E912A --passphrase YourPasswd -o InRelease Release
轉載地址:
https://my.oschina.net/u/3362827/blog/860711