OpenPGP integratsiia v RPM
Copyright ©2006 Veselin Kolev, Sofiiski Universitet "Sv. Kliment Ohridski"
Litsenz: CC Attribution-ShareAlike
- Vuvedenie.
- Postaviane na OpenPGP sertifikat v bazata na RPM.
- Predstaviane i pregled na instaliranite OpenPGP sertifikati v bazata na RPM.
- Pregled na sudurzhanieto na instaliranite OpenPGP sertifikati v bazata na RPM.
- Iztrivane na instaliran OpenPGP sertifikat ot bazata na RPM.
- Proverka na elektronniia podpis vurhu fail, sudurzhasht RPM paket.
- Proverka na elektronniia podpis vurhu instaliran RPM paket.
1. Vuvedenie.
RPM[1] e paketna sistema, v koiato vseki paket podlezhi na integratsiia v ramkite na sertifikaten model za udostoveriavane. Za udostoveritelen model e izbran OpenPGP. Kogato edin RPM paketen fail bude suzdaden, sudurzhanieto mu se podpisva taka, che elektronniia podpis se postavia vutre v suzdadeniia RPM fail (tova otlichava paketnata sistema RPM ot paketni sistemi, pri koito elektronniia podpis se suhraniava vuv fail izvun paketa). Taka elektronniiat podpis sledva paketniia fail navsiakude i sluzhi za identifikatsiia na litseto ili organizatsiiata, koiato e proizvela paketa. Vuzmozhno e elektronniiat podpis da bude izvurshen i ot tozi, koito predostavia/distributira paketa (blagodarenie na vuzmozhnostta za repodpisvane na paketa), a ne ot suzdatelia mu (pri repodpisvaneto, elektronniia podpis na suzdatelia na paketa mozhe da bude zamenen s elektronniia podpis na distributora).
Kogato edin RPM paket triabva da bude instaliran, e nalozhitelno da bude proveren elektronniia podpis integriran v nego. Suzdavaneto na takva praktika silno namaliava vuzmozhnostta za podmiana ("probutvane" na opasen paket, koito primerno mozhe da otvori dupka v sigurnostta na sistemata, da unishtozhi failove, da izpolzva nesanktsionirano resursi i t.n). Razbira se, instalirashtiiat paketa triabva da pritezhava kopie ot OpenPGP sertifikata na litseto i organizatsiiata, koito sa podpisali paketa. Ot gledna tochka na sertifikatniia model OpenPGP, ne e dostatuchno proveriavashtiia elektronniia podpis prosto da pritezhava kopie ot sertifikata. Toi triabva da e ubeden v negovata avtentichnost. Sledovatelno triabva da sushtestvuva kanal za proverka na avtentichnostta - primerno predstavitel na distributura garantira za sertifikata ili puk da se polzva shemata na onasledeno doverie v ramkite na Web Of Trust (tazi shema niama da bude komentirana tuk).
Sertifikatnoto hranilishte na bazata na RPM niama nishto obshto sus sertifikatnoto haranilishte na drugi prilozheniia, po-spetsialno GNUPG. Proverkata v ramkite na Web Of Trust se pravi v ramkite na GNUPG i negovoto sertifikatno hranilishte i chak sled tova udostovereniia sertifikat se prehvurlia v RPM bazata s OpenPGP sertifikati.
Nastoiashtata statiia ima za tsel da pokazhe vuzmozhnostite za integratsiiata na sertifikatniia model OpenPGP v paketnata sistema RPM. Po-zadulbocheni poznaniia za paketnata sistema RPM mogat da se poluchat ot razlichnite dokumentatsii na tazi tema, kato povecheto ot tiah sa svobodno dostupni v Internet. Kum nastoiashtiiat moment nai-pulnoto rukovodstvto za potrebiteli po izpolzvane na paketnata sistema RPM e suzdadeno v ramkite na proekta po dokumentatsiia na distributsiiata Fedora Core[2].
Statiiata e fokusirana vurhu rabotata s paketnata sistema RPM v ramkite na distributsiite Fedora Core i Red Hat Enterprise Linux.
Avtorut ne nosi otgovornost za prichineni shteti, vsledstvie na izpolzvane na opisanite tuk deistviia i tehniki.
2. Postaviane na OpenPGP sertifikat v bazata na RPM.
Za da se postavi edin OpenPGP sertifikat v RPM bazata, toi triabva da e nalichen v tekstov fail (ASCII) vuv format Base64. Spriamo znachimostta si kum RPM bazata, OpenPGP sertifikatite se razdeliat na dva tipa (chisto uslovno):takiva, koito udostoveriavat avtentichnostta na paketite v hranilishtata s paketi na distributsiiata, poddurzhani ot distributora i takiva, koito udostoveriavat avtentichnostta na vunshni za distributsiiata paketi (naprimer ot hranilishta, koito ne sa poddurzhani ot distributora na distributsiiata). Vsichki OpenPGP sertifikati, v ramkite na RPM bazata, se instalirat v edna tsentralen konteiner - sertifikatno hranilishte. V distributsiite Fedora Core i Red Hat Enterprise Linux (i derivatite), sertifikatnoto hranilishte na RPM bazata fizicheski se namira vuv faila /var/lib/rpm/Pubkeys. Tova e binaren fail vuv format BerkeleyDB.
- OpenPGP sertifikati udostoveriavashti avtentichnostta na sudurzhanieto na paketite v hranilishtata na distributsiiata
Tova sa sertifikatite na proizvoditelia na distributsiiata. Ot kritichno znachenie e tiahnata avtentichnost da bude ustanovena ednoznachno, dokolkoto tezi sertifikati se izpolzvat za proverka na nai-vazhnite paketi za sistemata (kernel, glibc, rpm i dr). Obiknoveno te se instalirat sus samata distributsiia kato ASCII failove vuv failovoto durvo na sistemata, bez obache da se instalirat v RPM bazata. V zavisimost ot distributsiiata (ili dori versiiata na distributsiiata), tiahnoto mestopolozhenie mozhe da e razlichno:
- Fedora Core 4 i Fedora Core 5
Do Fedora Core 4 sertifikatite na proizvoditelia na distributsiiata se suhraniavaha samo v direktoriiata /usr/share/rhn/. Vuv versiia chetiri na Fedora Core, miastoto za razpolagane na OpenPGP sertifikatite na distributsiiata e veche direktoriiata /etc/pki/rpm-gpg/. Eto edno neino primerno sudurzhanie:
-rw-r--r-- 1 root root 1910 Jun 3 2005 RPM-GPG-KEY
-rw-r--r-- 1 root root 1706 Jun 3 2005 RPM-GPG-KEY-beta
-rw-r--r-- 1 root root 1519 Jun 3 2005 RPM-GPG-KEY-fedora
-rw-r--r-- 1 root root 2043 Jun 3 2005 RPM-GPG-KEY-fedora-extras
-rw-r--r-- 1 root root 1105 Jun 3 2005 RPM-GPG-KEY-fedora-rawhide
-rw-r--r-- 1 root root 1076 Jun 3 2005 RPM-GPG-KEY-fedora-test
-rw-r--r-- 1 root root 1232 Jun 3 2005 RPM-GPG-KEY-rawhide
Sertifikatite se postaviat tam pri instalatsiiata na distributsiiata ot paketa fedora-release.
- Red Hat Enterprise Linux 4
V ramkite na tazi distributsiia, OpenPGP sertifikatite na proizvoditelia i se namirat v direktoriia /usr/share/rhn/. Instalirat se v distributsiiata pri instaliraneto na paketa up2date. Primernoto sudurzhanie na direktoriiata /usr/share/rhn/ e ot vida:
drwxr-xr-x 2 root root 4096 Mar 8 19:04 actions
-rw-r--r-- 1 root root 1489 Mar 20 2002 BETA-RPM-GPG-KEY
-rwxr-xr-x 1 root root 0 Aug 9 2001 __init__.py
-rw-r--r-- 1 root root 106 Mar 7 20:45 __init__.pyc
drwxr-xr-x 2 root root 4096 Mar 8 19:32 rhn_applet
-rw-r--r-- 1 root root 11381 Aug 29 2003 RHNS-CA-CERT
-rw-r--r-- 1 root root 1913 Aug 30 2002 RPM-GPG-KEY
-rw-r--r-- 1 root root 1519 Oct 29 2003 RPM-GPG-KEY-fedora
-rw-r--r-- 1 root root 1076 Oct 29 2003 RPM-GPG-KEY-fedora-test
drwxr-xr-x 3 root root 4096 Mar 8 19:04 up2date_client
Nai-vazhniiat OpenPGP sertifikat v tazi direktoriia se namira vuv faila RPM-GPG-KEY. CHrez nego se proveriava avtentichnostta na vsichki RPM paketi (bazovi i tezi postupili kato aktualizatsii).
Vupreki, che vsichki tezi OpenPGP sertifikati sa postaveni v upomenatite direktorii ot RPM paket v sustava na distributsiiata, triabva da se reshi vuprosa otnosno tiahnata avtentichnost i tia triabva da bude ustanovena ednoznachno. Ustanoviavaneto na avtentichnostta izliza izvun predelite na RPM. Za tselta na udostoveriavaneto se izpolzvat vunshni modeli i instrumenti. Edin podhodiasht nachin e da se izpolzva modela na Web Of Trust. Ot druga strana, ako e bila potvurdena avtentichnostta na instalatsionniia nositel, to s goliama veroiatnost mozhe da se tvurdi, che paketa, ot koito sa instalirani OpenPGP sertifikatite v distributsiiata ne e podmenian zloumishleno i instaliranite ot nego sertifikati sa avtentichni.
- OpenPGP sertifikati udostoveriavashti avtentichnostta na sudurzhanieto na paketite v hranilishta vunshni za distributsiiata
Nai-chesto kopiia na tezi OpenPGP sertifikati mogat da budat namereni vuv fail, koito se namira vuv failovo durvo na suotvetnoto hranilishte. Tova, che daden sertifikat se namira vuv failovoto durvo na hranilishteto, oshte ne go pravi avtentichen. Za da se proveri avtentnichnostta mu triabva da se izpolzva modela Web Of Trust.
V niakoi paketni hranilishta niama fail, koito da sudurzha OpenPGP sertifikata na proizvoditelia/distributora na paketite. V tozi sluchai OpenPGP sertifikata mozhe da bude nameren vurhu niakoi ot survurite za klyuchove v Internet. Sled tova otnovo se prilaga modela Web Of Trust za ustanoviavane na avtentichnostta.
Edin primer za izvlichaneto na OpenPGP sertifikat ot survur za klyuchove (sertifikati) i zapisvaneto mu v ASCII fail, mozhe da se dade chrez slednata poreditsa komandni redove:
$ gpg --keyserver pgp.mit.edu --search dag@wieers.com
gpg: searching for "dag@wieers.com" from HKP server pgp.mit.edu
Keys 1-3 of 3 for "dag@wieers.com"
(1) Dag Wieers (Dag Apt Repository v1.0)
1024 bit DSA key 6B8D79E6, created 2003-08-23
(2) Dag Wieers
1024 bit DSA key A838A2DA, created 1997-06-21
(3) Dag Wieers
512 bit RSA key 51BFC045, created 1997-03-15
Enter number(s), N)ext, or Q)uit > 1
gpg: key 6B8D79E6: public key "Dag Wieers (Dag Apt Repository v1.0) " imported
gpg: Total number processed: 1
gpg: imported: 1
$ gpg -a --export 6B8D79E6 > RPM-DAG-GPG
Po tozi nachin vuv faila RPM-GPG-DAG shte se namira OpenPGP sertifikata, s koito sa podpisani paketite v suotvetnoto hranilishte. Predi obache da se izpolzva, tozi sertifikat triabva da se proveri kato avtentichnost v ramkite na Web Of Trust ili drug mehanizum za udostoveriavane na avtentichnostta.
Postavianeto na sertifikatite v bazata na RPM mozhe da stane po dva nachina. Ediniiat nachin vklyuchva izpolzvaneto na instrumenta rpm v komanden red, a drugiia e svurzan s izpolzvaneto na yum.
- postaviane na OpenPGP sertifikat v bazata na RPM chrez instrumenta rpm
Tova e nai-udobniiat nachin za postaviane na sertifikatite v bazata na RPM i mozhe da se predstavi nagledno chrez sledniia primer (izpulnen ot root):
# rpm --import /usr/share/rhn/RPM-GPG-KEY
Sled izpulnenie na tozi komanden red, OpenPGP sertifikatite ot faila /usr/share/rhn/RPM-GPG-KEY shte budat postaveni v bazata na RPM. Vmesto pulniiat put do faila s OpenPGP sertifikata, mozhe da se izpolzva i protokol za failov prenos, naprimer FTP ili HTTP s ukazvane na putia do faila vurhu otdalechen failov survur. Tova obache ne se preporuchva, osven v sluchaite, v koito prenosnata sreda i iztochnika na faila sus sertifikata sa nadezhdno zashtiteni i udostovereni. Pri ukazvane na takuv prenos se izpolzva ukazateln za protkola, naprimer:
# rpm --import ftp://storage.server.tld/RPM-GPG-KEY
ili
# rpm --import http://storage.server.tld/RPM-GPG-KEY
Nuzhno e da se ima predvid, che pri mrezhovi transport ima i dopulnitelen risk, dokolkoto failut se izteglia s prava na root. Za tova tozi nachin na postaviane na OpenPGP sertifikat v bazata na RPM triabva da se izbiagva i da se izpolzva samo v kraen sluchai. Pravilniiat nachin e purvo da se svali faila sus sertifikata vurhu lokalnata failova sistema kato protsesut na iztegliane se initsira ot nepriviligerovan potrebitel. Sled tova se pravi proverka na faila, dali naistina sudurzha OpenPGP sertifikat (mozhe da se izpolzva instrumenta gpg) i chak togava s pravata na root i instrumenta rpm, sertifikata se importira v bazata na RPM.
- postaviane na OpenPGP sertifikat v bazata na RPM chrez instrumenta yum
V tozi sluchai se ukazva putia do faila sudurzhasht OpenPGP sertifikata (put do faila v lokalnata failova sistema ili vurhu otdalechen failov survur) na otdelen red pri definirane na hranilishte (dobre e OpenPGP sertifikatite v takuv sluchai da se otnasiat kum suotvetnoto hranilishte). Eto primeren zapis:
[extras]
name=Fedora Extras $releasever - $basearch
#baseurl=http://download.fedora.redhat.com/pub/fedora/linux/extras/$releasever/$basearch/
mirrorlist=http://fedora.redhat.com/download/mirrors/fedora-extras-$releasever
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-extras
gpgcheck=1
V tozi sluchai OpenPGP sertifikata, s koito se proveriava avtentichnostta na paketite v hranilishteto s ime extras, se sudurzha vuv faila ukazan sled ukazatelia gpgkey (v konkretniia sluchai tova e faila /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-extras). Pri purvoto izpolzvane na tova hranilishte, ako OpenPGP sertifikata, posochen vuv faila po-gore, ne e nalichen v RPM bazata, shte bude izvedeno dialogovo menyu, v koeto administratora triabva da izbere da importira ili ne v bazata tozi sertifikat.
3. Predstaviane i pregled na instaliranite OpenPGP sertifikati v bazata na RPM.
Vseki sertifikat se predstavia v RPM bazata kato paket. Sledovatelno mozhe da bude tursen kato takuv s nalichnite za tselta instrumenti. Vsichki OpenPGP sertifikati v RPM bazata mozhe da se razglezhdat kato mnogo ednovremenno nalichni versii na edin i sushti paket s ime gpg-pubkey. Versiite na paketite gpg-pubkey se oprdeliat na baza shestnadesetichniia identifikator na publichniia klyuch v osnovata na OpenPGP sertifikata. Formatut na versiiata sudurzha dva shestnadesetichni chisla, razdeleni s tire. Identifikatorut na OpenPGP sertifikata e purvoto chislo. Naprimer vuv versiiata na paketa
gpg-pubkey-db42a60e-37ea5438
shestnadesetichnoto chislo db42a60e e identifikatora na publichniia klyuch v osnovata na OpenPGP sertifikata, a 37ea5438 e hesh na datata na suzdavane na dvoikata "chasten-publichen klyuch". Identifikatorut na publichniia klyuch se izpolzva za identifikatsiia na daden sertifikat, naprimer v GNUPG:
$ gpg --list-keys db42a60e
pub 1024D/DB42A60E 1999-09-23 Red Hat, Inc
sub 2048g/961630A2 1999-09-23
- pregled na instaliranite OpenPGP sertifikati chrez instrumenta rpm
Za da bude predstaven spisuk s instaliranite OpenPGP sertifikati v bazata na RPM, triabva da se izvurshi operatsiia ot vida:
$ rpm -q gpg-pubkey
Izhodut ot tazi operatsiia ima vid podoben na sledniia:
gpg-pubkey-db42a60e-37ea5438
gpg-pubkey-4f2a6fd2-3f9d9d3b
gpg-pubkey-30c9ecf8-3f9da3f7
gpg-pubkey-7ad14380-43395f47
gpg-pubkey-6b8d79e6-3f49313d
gpg-pubkey-66534c2b-402ad7ae
- pregled na instaliranite OpenPGP sertifikati chrez instrumenta yum
Za tselta mozhe da se izpolzva komanden red ot vida:
$ yum list gpg-pubkey
izpulnenieto na koito vodi do rezultat ot tipa na
Setting up repositories
Reading repository metadata in from local files
Installed Packages
gpg-pubkey.None 4f2a6fd2-3f9d9d3b installed
gpg-pubkey.None 6b8d79e6-3f49313d installed
gpg-pubkey.None db42a60e-37ea5438 installed
gpg-pubkey.None 30c9ecf8-3f9da3f7 installed
gpg-pubkey.None 66534c2b-402ad7ae installed
gpg-pubkey.None 7ad14380-43395f47 installed
4. Pregled na sudurzhanieto na instaliranite OpenPGP sertifikati v bazata na RPM.
Pregledut na sudurzhanieto na instaliranite OpenPGP paketi v bazata na RPM mozhe da stane chrez instrumentite rpm i yum.
- pregled na sudurzhanieto na instaliran OpenPGP sertifikat chrez instrumenta rpm
Pregledut na sudurzhanieto na instaliran v bazata na RPM OpenPGP sertifikat chrez instrumenta rpm, sledva slednata shema. Purvo se izbira sertifikata kato ime na paket i versiia, kakto be opisano po-gore. Sled kato izborut e napraven, se izpulniava komanden red podoben na sledniia:
$ rpm -q --info gpg-pubkey-4f2a6fd2-3f9d9d3b
koito vodi do rezultata
Name : gpg-pubkey Relocations: (not relocatable)
Version : 4f2a6fd2 Vendor: (none)
Release : 3f9d9d3b Build Date: Tue 10 Jan 2006 12:46:44 PM EET
Install Date: Tue 10 Jan 2006 12:46:44 PM EET Build Host: localhost
Group : Public Keys Source RPM: (none)
Size : 0 License: pubkey
Signature : (none)
Summary : gpg(Fedora Project )
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.3.3 (beecrypt-3.0.0)
mQGiBD+dnTsRBACwnlz4AhctOLlVBAsq+RaU82nb5P3bD1YJJpsAce1Ckd2sBUOJD11NUCqH
8c7EctOquOZ5zTcWxHiWWbLyKQwUw2SUvnWa5SSbi8kI8q9MTPsPvhwtgMrQMLenMO+nsrxr
SaG6XcD+ssfJNxC7NQVCQAj3pvvg9rKi3ygsM7CXHwCghgsqX6TOr55HE90DbEsoq3b/jjsD
/i8aIZ6urUgrpAkQslcakXdJLKgSdwjRUgVZgvYZb7kAx1iPq0t/AhB3NJw3zW4AAKJohGg3
xj5K4V8PJEZrSIpoRYlF43Kqlfu2p5ghWT89SP4YAlWPeTqf0+dTYUYz3b144k2ZFOdRuXIR
xunoYNAUr9oMrxBXbJ/eY+0UQX3pBACYzKizyY4JJgd0zFJmNkcdK9nzcm+btYFnYQo33w5G
SE686UNr+9yiXt9tmPRvNEbj3u+xoAX8B/5k3aZ5NbUhV64/VcKlUdRIxNlFCG7I9KgxeHWA
Ywi7yqOGXM3T/v6o7GLdQEB0ChFqS7kUlqmwLV+C3QhlrFe/Cuk26i+Q6rQiRmVkb3JhIFBy
b2plY3QgPGZlZG9yYUByZWRoYXQuY29tPohbBBMRAgAbBQI/nZ07BgsJCAcDAgMVAgMDFgIB
Ah4BAheAAAoJELRCadBPKm/S2PAAnRTlhorITphab+oxAHtbxZF9BVyDAJ9WOVaZUG53IWWI
AXOGv3j/cmr3lohGBBMRAgAGBQI/nZ22AAoJECGRgM3bQqYOR5QAoIp1G+omVktq/snxpmz5
UeHjlSYjAKCRr/ea/L7S7ZTxB18cf1TYfad1x4hGBBARAgAGBQI/ntjgAAoJECnVuiSN9W0F
USUAoJnrone4J0o1HMkRz+6g9KVuO2FyAJ0XyebOzVmI9U5OyOfnNmYV0wnQcrkBDQQ/nZ08
EAQAugOfLWJbKwMA9vg2mJU594TZU0HRJkx/fqYhx0YxWWRpzplrEyvcDXuYcWi1Hwh0tD86
T4fR5GV6joWiWClzD+Hwhhb6gcSdeSGlGLlZAvWYtFSHWiv+3LaI9w8Vtczl99Bh2WiMDNDD
Gw0RQg6ZaftldLSe4j1pffpFGQ8SuisAAwUEAKVxqLT7fC5xQ6oclcZ+PhoDlePQ1BiTS7tu
GM07bFF4nNvY91LL7S31pooz3XbGSWP8jxzSv1Fw35YhSmWGOBOEXluqMbVQGJJ5m8fqJOjC
0imbfeWgr/T7zLrJeiljDxvX+6TyawyWQngF6v1Hq6FRV0O0bOp9Npt5zqCbDGs/iEYEGBEC
AAYFAj+dnTwACgkQtEJp0E8qb9L//gCcDVYnDegNCOxDn1sedDwxw+0h8OcAn1CZHof15Qqx
nTwEnvwF2QeOI5dn
=mJAx
-----END PGP PUBLIC KEY BLOCK-----
V tozi rezultat se vizhda izpolzvaneto na sushtite poleta, kakvito se izpolzvat za vsichki paketi instalirani v bazata na RPM. Izklyuchenie pravi samo informativnata chast (info). V neia chrez bibliotekata beecrypt se izvezhda v Base64 format OpenPGP sertifikata. Taka blokut direktno mozhe da se kopira vuv faila i da se izpolzva za povtorno importirane v RPM baza ili v hranilishteto na GNUPG, PGP i dr.
- pregled na sudurzhanieto na instaliran OpenPGP sertifikat chrez instrumenta yum
Pregledut na sudurzhanieto na instaliran v bazata na RPM OpenPGP sertifikat s instrumenta yum stava sled kato predvaritelno se izbere sertifikat s opredelena versiia. Sled tova se izpulniava komanden red ot tipa:
$ yum info gpg-pubkey-4f2a6fd2-3f9d9d3b
Rezultatut izglezhda po sledniia nachin:
Setting up repositories
Reading repository metadata in from local files
Installed Packages
Name : gpg-pubkey
Arch : None
Version: 4f2a6fd2
Release: 3f9d9d3b
Size : 0.0
Repo : installed
Summary: gpg(Fedora Project )
Description:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.3.3 (beecrypt-3.0.0)
mQGiBD+dnTsRBACwnlz4AhctOLlVBAsq+RaU82nb5P3bD1YJJpsAce1Ckd2sBUOJD11NUCqH
8c7EctOquOZ5zTcWxHiWWbLyKQwUw2SUvnWa5SSbi8kI8q9MTPsPvhwtgMrQMLenMO+nsrxr
SaG6XcD+ssfJNxC7NQVCQAj3pvvg9rKi3ygsM7CXHwCghgsqX6TOr55HE90DbEsoq3b/jjsD
/i8aIZ6urUgrpAkQslcakXdJLKgSdwjRUgVZgvYZb7kAx1iPq0t/AhB3NJw3zW4AAKJohGg3
xj5K4V8PJEZrSIpoRYlF43Kqlfu2p5ghWT89SP4YAlWPeTqf0+dTYUYz3b144k2ZFOdRuXIR
xunoYNAUr9oMrxBXbJ/eY+0UQX3pBACYzKizyY4JJgd0zFJmNkcdK9nzcm+btYFnYQo33w5G
SE686UNr+9yiXt9tmPRvNEbj3u+xoAX8B/5k3aZ5NbUhV64/VcKlUdRIxNlFCG7I9KgxeHWA
Ywi7yqOGXM3T/v6o7GLdQEB0ChFqS7kUlqmwLV+C3QhlrFe/Cuk26i+Q6rQiRmVkb3JhIFBy
b2plY3QgPGZlZG9yYUByZWRoYXQuY29tPohbBBMRAgAbBQI/nZ07BgsJCAcDAgMVAgMDFgIB
Ah4BAheAAAoJELRCadBPKm/S2PAAnRTlhorITphab+oxAHtbxZF9BVyDAJ9WOVaZUG53IWWI
AXOGv3j/cmr3lohGBBMRAgAGBQI/nZ22AAoJECGRgM3bQqYOR5QAoIp1G+omVktq/snxpmz5
UeHjlSYjAKCRr/ea/L7S7ZTxB18cf1TYfad1x4hGBBARAgAGBQI/ntjgAAoJECnVuiSN9W0F
USUAoJnrone4J0o1HMkRz+6g9KVuO2FyAJ0XyebOzVmI9U5OyOfnNmYV0wnQcrkBDQQ/nZ08
EAQAugOfLWJbKwMA9vg2mJU594TZU0HRJkx/fqYhx0YxWWRpzplrEyvcDXuYcWi1Hwh0tD86
T4fR5GV6joWiWClzD+Hwhhb6gcSdeSGlGLlZAvWYtFSHWiv+3LaI9w8Vtczl99Bh2WiMDNDD
Gw0RQg6ZaftldLSe4j1pffpFGQ8SuisAAwUEAKVxqLT7fC5xQ6oclcZ+PhoDlePQ1BiTS7tu
GM07bFF4nNvY91LL7S31pooz3XbGSWP8jxzSv1Fw35YhSmWGOBOEXluqMbVQGJJ5m8fqJOjC
0imbfeWgr/T7zLrJeiljDxvX+6TyawyWQngF6v1Hq6FRV0O0bOp9Npt5zqCbDGs/iEYEGBEC
AAYFAj+dnTwACgkQtEJp0E8qb9L//gCcDVYnDegNCOxDn1sedDwxw+0h8OcAn1CZHof15Qqx
nTwEnvwF2QeOI5dn
=mJAx
-----END PGP PUBLIC KEY BLOCK-----
I tuk, kakto i pri izhoda poluchen chrez instrumenta rpm, rezultatut za opisatelnata chastta na paketa sudurzha Base64 predstavianeto na OpenPGP sertifikata v blok, koito mozhe da bude izpolzvan za posledvashti postavianiia v hranilishte na RPM ili izpolzvaneto mu v hranilishteto na programi kato GNUPG, PGP i dr.
5. Iztrivane na instaliran OpenPGP sertifikat ot bazata na RPM.
Iztrivaneto na edin OpenPGP sertifikat ot bazata na RPM mozhe da se nalozhi v sluchaite, kogato tozi sertifikat niama da bude izpolzvan poveche ili e komprometiran po niakakuv nachin. Paketnata sistema RPM chrez svoia instrumentarium ne mozhe da sledi sustoianieto na daden OpenPGP sertifikat. Podobno sledene na sustoianieto na edin OpenPGP sertifikat mozhe da stane naprimer chrez periodichna proverka za nalichieto na otmeniashti sertifikati kum dadeniia OpenPGP sertifikat, koito da ukazhat na negotovo komprometirane. Kato instrument za realizatsiia na tozi protses mozhe da bude izpolzvan gpg.
Kakto protsesut po postaviane, taka i tozi po iztrivane na OpenPGP sertifikat, mozhe da realizira chrez izpolzvane na instrumentite rpm i yum.
- iztrivane na instaliran OpenPGP sertifikat chrez instrumenta rpm
Vinagi triabva da se utochniava versiiata na paketa, chrez koiato e predstaven v RPM bazata OpenPGP sertifikata, koito triabva da bude iztrit. Sled kato versiiata e utochnena, mozhe da se pristupi kum iztrivaneto mu s pomoshtta na komanden red sus slednata struktura:
# rpm -e gpg-pubkey-4f2a6fd2-3f9d9d3b
- iztrivane na instaliran OpenPGP sertifikat chrez instrumenta yum
Vinagi triabva da se utochniava versiiata na paketa, chrez koiato e predstaven v RPM bazata OpenPGP sertifikata, koito triabva da bude iztrit. Sled kato versiiata e utochnena, mozhe da se pristupi kum iztrivaneto mu s pomoshtta na komanden red ot vida:
# yum remove gpg-pubkey-4f2a6fd2-3f9d9d3b
Kato mezhdinen razultat shte bude predstavena informatsiia za paketa, koito podlezhi na iztrivane i dialog za potvurzhdenie na operatsiiata:
Setting up Remove Process
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Package gpg-pubkey.None 0:4f2a6fd2-3f9d9d3b set to be erased
--> Running transaction check
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Removing:
gpg-pubkey None 4f2a6fd2-3f9d9d3b installed 0.0
Transaction Summary
=============================================================================
Install 0 Package(s)
Update 0 Package(s)
Remove 1 Package(s)
Total download size: 0
Is this ok [y/N]:
Sled potvurzhdavane na operatsiiata (chrez "y") sledva iztrivane na paketa, t.e. na OpenPGP sertifikata ot bazata na RPM.
6. Proverka na elektronniia podpis vurhu fail, sudurzhasht RPM paket.
Predi da bude instaliran v sistemata, vseki RPM paket predstavliava fail s razshirenie rpm. Vseki takuv fail mozhe da bude proveren ot gledna tochka na avtentichnost, kato bude proveren elektronniia podpis, koito e izvurshen vurhu sudurzhanieto (koeto puk se namira pod formata na CPIO arhiv vutre v samiia RPM fail).
Za izvurshvaneto na proverkata e nuzhno da se razpolaga s OpenPGP sertifikata na litseto ili organizatsiiata, podpisali paketa. Tozi sertifikat triabva da e instaliran v RPM bazata. Predi vsichko niama kak v 100% ot sluchaite ot napred da se znae s kakuv OpenPGP sertifikat da se proveri dostovernostta na sudurzhanieto na RPM faila. Tova mozhe da se ustanovi samo opitno, sled proverka. Ako v hoda na proverkata se ustanovi, che OpenPGP sertifikata, chrez koito triabva da se proveri elektronniia podpis vurhu sudurzhanieto na RPM faila, ne e nalichen v RPM bazata, to toi triabva da bude postaven tam. Sled tova proverkata triabva da bude izvurshena otnovo.
Eto i kak se izvurshva proverkata v komanden red chrez instrumenta rpm v razlichni niva na podrobnost v rezultata ot proverkata:
Tova nivo na podrobnost na rezultata ot proverkata se realizira chrez izpolzvaneto samo na optsiiata "--checksig". Eto primer:
$ rpm --checksig stunnel-4.05-3.i386.rpm
Rezultatut ot izpulnenieto na gorniia komanden red ima vid podoben na
stunnel-4.05-3.i386.rpm: (sha1) dsa sha1 md5 gpg OK
Tova nivo na podrobnost samo suobshtava obshtiia rezultat ot proverkata, bez da informira zaiavitelia na proverkata po-podrobno. Status suobshtenieto "OK" e indikator za polozhitelna proverka na elektronniia podpis vurhu sudurzhanieto na RPM paketa. Ako statusut ne e "OK", triabva da se premine na po-visoko nivo na podrobnost i tam da se vidi kude tochno e problema (primerno OpenPGP sertifikata, s koito triabva da se izvurshi proverkata na elektronniia podpis ne e nalichen v bazata na RPM i t.n).
Vtoroto nivo na podrobnost se realizira chrez izpolzvaneto na kombinatsiia ot optsii "-v" i "--checksig" na instrumenta rpm. Primeren komanden red, koito pokazva realizatsiia na tova nivo na podrobnost pri proverkata na elektronniia podpis vurhu sudurzhanieto na RPM faila, e sledniia:
$ rpm -v --checksig stunnel-4.05-3.i386.rpm
Rezultatut ot proverkata ima vida:
stunnel-4.05-3.i386.rpm:
Header V3 DSA signature: OK, key ID 7ad14380
Header SHA1 digest: OK (29ae0d7847ec4efb29da645528727a66ceab0d7c)
MD5 digest: OK (806296bc49590670bf40d2d162612b47)
V3 DSA signature: OK, key ID 7ad14380
V tozi rezultat e vklyuchen flag za vseki etap na proverkata (imasht pri uspeshna proverka stoinost "OK"). Sushto taka tuk se pokazvat stoinostite na suotvetnite sumi i shestnadesetichniia identifikator na OpenPGP sertifikata, s koito se izvurshva proverkata na elektronniia podpis.
Za tova nivo na podrobnost se izpolzvat optsiite "-vv" i "--checksig". Tova e nai-visokoto nivo na podrobnost, koeto osven informatsiiata, nalichna vuv vtoro nivo na podrobnost, dava i statusa na operatsiite po izvezhdaneto na informatsiiata ot samata baza danni. Za poluchavaneto na takova nivo na podorobnost, mozhe da se izpolzva komanden red ot vida:
$ rpm -vv --checksig stunnel-4.05-3.i386.rpm
Sled izpulnenieto mu, se poluchava rezultat podoben na sledniia:
D: Expected size: 119200 = lead(96)+sigs(344)+pad(0)+data(118760)
D: Actual size: 119200
D: opening db index /var/lib/rpm/Packages rdonly mode=0x0
D: locked db index /var/lib/rpm/Packages
D: opening db index /var/lib/rpm/Pubkeys rdonly mode=0x0
D: read h# 843 Header sanity check: OK
D: ========== DSA pubkey id 56d964ae7ad14380
stunnel-4.05-3.i386.rpm:
Header V3 DSA signature: OK, key ID 7ad14380
Header SHA1 digest: OK (29ae0d7847ec4efb29da645528727a66ceab0d7c)
MD5 digest: OK (806296bc49590670bf40d2d162612b47)
V3 DSA signature: OK, key ID 7ad14380
D: closed db index /var/lib/rpm/Pubkeys
D: closed db index /var/lib/rpm/Packages
7. Proverka na elektronniia podpis vurhu instaliran RPM paket.
Tazi proverka zasiaga vsichki instalirani failove v ramkite na daden paket. Tova znachi, che v hoda na proverkata mozhe da se ustanovi dali daden fail ot daden paket e promenian, lipsva ili e povreden. TSialata informatsiia, neobhodima za proverkata, se namira v RPM bazata. Samata proverka se izvurshva s instrumenta rpm v tri niva na podrobnost. Izhodut ot operatsiiata za proverka na tselostta i avtentichnostta na failovete v daden paket se predstavia v tri koloni:
kolona 1 |
kolona 2 |
kolona 3 |
flagove za sustoianie |
flagove za tip na faila |
put do faila |
Vuzmozhnite stoinosti na flagovete v purvite dve koloni sa kakto sledva:
- S - golemina na faila
- M - mod na faila
- 5 - MD5 suma na faila
- D - mazhorno i minorno chislo na faila
- L - simvolna vruzka na faila
- U - sobstvenik na faila
- G - grupa-sobstvenik na faila
- T - vreme na posledna modifikatsiia na faila
- c - konfiguratsionen fail
- d - dokumentatsiia
- prazna kolona pri binarnite failove i direktorii
Eto i primeri v komanden red za izpolzvaneto na instrumenta rpm za proverka na avtentichnostta i tselostta na failovete v ramkite na instaliranite paketi v razlichnite niva na podrobnost:
Purvo nivo na podrobnost mozhe da se realizira chrez podavane na optsiiata "--verify" na instrumenta rpm:
# rpm --verify sendmail
Pri tova nivo na podrobnost se izvezhdat edinstveno rezultati, ako ima namereni failove, chiiato identichnost ne e potvurdena:
S.5....T c /etc/mail/access
S.5....T c /etc/mail/helpfile
S.5....T c /etc/mail/local-host-names
S.5....T c /etc/mail/mailertable
S.5....T c /etc/mail/sendmail.cf
S.5....T c /etc/mail/sendmail.mc
SM5....T c /etc/mail/submit.cf
S.5....T c /etc/mail/submit.mc
S.5....T c /etc/mail/virtusertable
V ramkite na vtoroto nivo na podrobnost osven optsiiata "--verify", na instrumenta rpm se podava i optsiiata "-v":
# rpm -v --verify sendmail
Vuv vtoro nivo na podrobnost se izvezhdat vsichki failove, nalichni v paketa, sus suotvetnite flagove za sustoianie i flagove za tip na faila:
........ /etc/mail
........ c /etc/mail/Makefile
S.5....T c /etc/mail/access
........ c /etc/mail/domaintable
S.5....T c /etc/mail/helpfile
S.5....T c /etc/mail/local-host-names
S.5....T c /etc/mail/mailertable
S.5....T c /etc/mail/sendmail.cf
S.5....T c /etc/mail/sendmail.mc
SM5....T c /etc/mail/submit.cf
S.5....T c /etc/mail/submit.mc
........ c /etc/mail/trusted-users
S.5....T c /etc/mail/virtusertable
........ c /etc/pam.d/smtp.sendmail
........ c /etc/rc.d/init.d/sendmail
........ /etc/smrsh
........ c /etc/sysconfig/sendmail
........ /usr/bin/hoststat
........ /usr/bin/mailq.sendmail
........ /usr/bin/makemap
........ /usr/bin/newaliases.sendmail
........ /usr/bin/purgestat
........ /usr/bin/rmail.sendmail
........ c /usr/lib/sasl2/Sendmail.conf
........ /usr/lib/sendmail.sendmail
........ /usr/sbin/mailstats
........ /usr/sbin/makemap
........ /usr/sbin/praliases
........ /usr/sbin/sendmail.sendmail
........ /usr/sbin/smrsh
........ d /usr/share/man/man1/mailq.sendmail.1.gz
........ d /usr/share/man/man1/newaliases.sendmail.1.gz
........ d /usr/share/man/man5/aliases.sendmail.5.gz
........ d /usr/share/man/man8/mailstats.8.gz
........ d /usr/share/man/man8/makemap.8.gz
........ d /usr/share/man/man8/praliases.8.gz
........ d /usr/share/man/man8/rmail.8.gz
........ d /usr/share/man/man8/sendmail.sendmail.8.gz
........ d /usr/share/man/man8/smrsh.8.gz
........ c /var/log/mail/statistics
........ /var/spool/clientmqueue
........ /var/spool/mqueue
V ramkite na tretoto nivo na podrobnost se izpolzvat kombinirano optsiite "--verify", i "-vv" na instrumenta rpm:
# rpm -vv --verify sendmail
Pri treto nivo na podrobnost, v izvezhdanata informatsiia osven pulniia spisuk failove ot paketa i flagovete za sustoianieto, i flagovete za tip na faila, se poluchava i spisuk s kriptografskite zaglavni chasti (headers) na paketa i zavisimostite:
D: opening db environment /var/lib/rpm/Packages joinenv
D: opening db index /var/lib/rpm/Packages rdonly mode=0x0
D: locked db index /var/lib/rpm/Packages
D: opening db index /var/lib/rpm/Name rdonly mode=0x0
D: opening db index /var/lib/rpm/Pubkeys rdonly mode=0x0
D: read h# 290 Header sanity check: OK
D: ========== DSA pubkey id 56d964ae7ad14380
D: read h# 768 Header V3 DSA signature: OK, key ID 7ad14380
D: ========== +++ sendmail-8.13.1-3.RHEL4.3 i386/linux 0x1
D: opening db index /var/lib/rpm/Depends create mode=0x0
D: opening db index /var/lib/rpm/Basenames rdonly mode=0x0
D: read h# 291 Header sanity check: OK
D: ========== DSA pubkey id 219180cddb42a60e
D: read h# 39 Header V3 DSA signature: OK, key ID db42a60e
D: Requires: /bin/bash YES (db files)
D: read h# 38 Header V3 DSA signature: OK, key ID db42a60e
D: Requires: /bin/mktemp YES (db files)
D: Requires: /bin/sh YES (db files)
D: Requires: /bin/sh YES (cached)
D: Requires: /bin/sh YES (cached)
D: Requires: /bin/sh YES (cached)
D: Requires: /bin/sh YES (cached)
D: ========== DSA pubkey id 56d964ae7ad14380
D: read h# 675 Header V3 DSA signature: OK, key ID 7ad14380
D: Requires: /usr/sbin/alternatives YES (db files)
D: read h# 679 Header V3 DSA signature: OK, key ID 7ad14380
D: Requires: /usr/sbin/useradd YES (db files)
D: opening db index /var/lib/rpm/Providename rdonly mode=0x0
D: Requires: bash >= 2.0 YES (db provides)
D: Requires: chkconfig >= 1.3 YES (db provides)
D: Requires: config(sendmail) = 8.13.1-3.RHEL4.3 YES (added provide)
D: Requires: config(sendmail) = 8.13.1-3.RHEL4.3 YES (db provides)
D: ========== DSA pubkey id 219180cddb42a60e
D: read h# 99 Header V3 DSA signature: OK, key ID db42a60e
D: Requires: cyrus-sasl YES (db provides)
D: ========== DSA pubkey id 56d964ae7ad14380
D: read h# 346 Header V3 DSA signature: OK, key ID 7ad14380
D: Requires: fileutils YES (db provides)
D: ========== DSA pubkey id 219180cddb42a60e
D: read h# 63 Header V3 DSA signature: OK, key ID db42a60e
D: Requires: gawk YES (db provides)
D: ========== DSA pubkey id 56d964ae7ad14380
D: read h# 763 Header V3 DSA signature: OK, key ID 7ad14380
D: Requires: libc.so.6 YES (db provides)
D: Requires: libc.so.6(GLIBC_2.0) YES (db provides)
D: Requires: libc.so.6(GLIBC_2.1) YES (db provides)
D: Requires: libc.so.6(GLIBC_2.1.3) YES (db provides)
D: Requires: libc.so.6(GLIBC_2.2) YES (db provides)
D: Requires: libc.so.6(GLIBC_2.3) YES (db provides)
D: Requires: libc.so.6(GLIBC_2.3.4) YES (db provides)
D: Requires: libcrypt.so.1 YES (db provides)
D: read h# 678 Header V3 DSA signature: OK, key ID 7ad14380
D: Requires: libcrypto.so.4 YES (db provides)
D: ========== DSA pubkey id 219180cddb42a60e
D: read h# 34 Header V3 DSA signature: OK, key ID db42a60e
D: Requires: libdb-4.2.so YES (db provides)
D: read h# 125 Header V3 DSA signature: OK, key ID db42a60e
D: Requires: libhesiod.so.0 YES (db provides)
D: ========== DSA pubkey id 56d964ae7ad14380
D: read h# 353 Header V3 DSA signature: OK, key ID 7ad14380
D: Requires: liblber-2.2.so.7 YES (db provides)
D: Requires: libldap-2.2.so.7 YES (db provides)
D: Requires: libnsl.so.1 YES (db provides)
D: Requires: libnsl.so.1(GLIBC_2.0) YES (db provides)
D: Requires: libresolv.so.2 YES (db provides)
D: Requires: libresolv.so.2(GLIBC_2.0) YES (db provides)
D: Requires: libresolv.so.2(GLIBC_2.2) YES (db provides)
D: Requires: libsasl2.so.2 YES (db provides)
D: Requires: libssl.so.4 YES (db provides)
D: ========== DSA pubkey id 219180cddb42a60e
D: read h# 169 Header V3 DSA signature: OK, key ID db42a60e
D: Requires: libwrap.so.0 YES (db provides)
D: Requires: openldap YES (db provides)
D: Requires: openssl YES (db provides)
D: read h# 154 Header V3 DSA signature: OK, key ID db42a60e
D: Requires: procmail YES (db provides)
D: Requires: rpmlib(CompressedFileNames) <= 3.0.4-1 YES (rpmlib provides)
D: Requires: rpmlib(PayloadFilesHavePrefix) <= 4.0-1 YES (rpmlib provides)
D: Requires: rpmlib(VersionedDependencies) <= 3.0.3-1 YES (rpmlib provides)
D: read h# 78 Header V3 DSA signature: OK, key ID db42a60e
D: Requires: sed YES (db provides)
D: ========== DSA pubkey id 56d964ae7ad14380
D: read h# 296 Header V3 DSA signature: OK, key ID 7ad14380
D: Requires: setup >= 2.5.31-1 YES (db provides)
D: Requires: sh-utils YES (db provides)
D: opening db index /var/lib/rpm/Conflictname rdonly mode=0x0
D: closed db index /var/lib/rpm/Depends
........ /etc/mail
........ c /etc/mail/Makefile
S.5....T c /etc/mail/access
........ c /etc/mail/domaintable
S.5....T c /etc/mail/helpfile
S.5....T c /etc/mail/local-host-names
S.5....T c /etc/mail/mailertable
S.5....T c /etc/mail/sendmail.cf
S.5....T c /etc/mail/sendmail.mc
SM5....T c /etc/mail/submit.cf
S.5....T c /etc/mail/submit.mc
........ c /etc/mail/trusted-users
S.5....T c /etc/mail/virtusertable
........ c /etc/pam.d/smtp.sendmail
........ c /etc/rc.d/init.d/sendmail
........ /etc/smrsh
........ c /etc/sysconfig/sendmail
........ /usr/bin/hoststat
........ /usr/bin/mailq.sendmail
........ /usr/bin/makemap
........ /usr/bin/newaliases.sendmail
........ /usr/bin/purgestat
........ /usr/bin/rmail.sendmail
........ c /usr/lib/sasl2/Sendmail.conf
........ /usr/lib/sendmail.sendmail
........ /usr/sbin/mailstats
........ /usr/sbin/makemap
........ /usr/sbin/praliases
........ /usr/sbin/sendmail.sendmail
........ /usr/sbin/smrsh
........ d /usr/share/man/man1/mailq.sendmail.1.gz
........ d /usr/share/man/man1/newaliases.sendmail.1.gz
........ d /usr/share/man/man5/aliases.sendmail.5.gz
........ d /usr/share/man/man8/mailstats.8.gz
........ d /usr/share/man/man8/makemap.8.gz
........ d /usr/share/man/man8/praliases.8.gz
........ d /usr/share/man/man8/rmail.8.gz
........ d /usr/share/man/man8/sendmail.sendmail.8.gz
........ d /usr/share/man/man8/smrsh.8.gz
........ c /var/log/mail/statistics
........ /var/spool/clientmqueue
........ /var/spool/mqueue
D: closed db index /var/lib/rpm/Pubkeys
D: closed db index /var/lib/rpm/Conflictname
D: closed db index /var/lib/rpm/Providename
D: closed db index /var/lib/rpm/Basenames
D: closed db index /var/lib/rpm/Name
D: closed db index /var/lib/rpm/Packages
D: closed db environment /var/lib/rpm/Packages
dobre
zle
Variant za otpechatvane
