This post will help you to get answers of below questions-
How to check rpm integrity?
How to check rpm authenticity?
How to check rpm digital signature?
What is gpgcheck?
Let's take an example of below rpm package and see, how to verify if it is a genuine package?
[root@localhost tmp]# ls -l vsftpd-2.2.2-11.el6.x86_64.rpm
-r--r--r--. 1 root root 154392 Jan 27 10:27 vsftpd-2.2.2-11.el6.x86_64.rpm
[root@localhost tmp]#
There are multiple way to verify.
1. Verify using rpm
[root@localhost tmp]# rpm -q vsftpd
package vsftpd is not installed
[root@localhost tmp]#
[root@localhost tmp]# rpm -K vsftpd-2.2.2-11.el6.x86_64.rpm
vsftpd-2.2.2-11.el6.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#fd431d51)
[root@localhost tmp]#
[root@localhost rpm-gpg]# ls
RPM-GPG-KEY-redhat-beta RPM-GPG-KEY-redhat-legacy-former RPM-GPG-KEY-redhat-legacy-release RPM-GPG-KEY-redhat-legacy-rhx RPM-GPG-KEY-redhat-release
[root@localhost rpm-gpg]#
So import the main GPG-KEY
/tmp/vsftpd-2.2.2-11.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
[root@localhost rpm-gpg]#
[root@localhost rpm-gpg]# rpm -vvK /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm
D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key
D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key
D: loading keyring from rpmdb
D: opening db environment /var/lib/rpm cdb:mpool:joinenv
D: opening db index /var/lib/rpm/Packages rdonly mode=0x0
D: locked db index /var/lib/rpm/Packages
D: opening db index /var/lib/rpm/Name rdonly mode=0x0
D: read h# 1113 Header sanity check: OK
D: added key gpg-pubkey-fd431d51-4ae0493b to keyring
D: read h# 1114 Header sanity check: OK
D: added key gpg-pubkey-2fa658e0-45700c69 to keyring
D: Using legacy gpg-pubkey(s) from rpmdb
D: Expected size: 154392 = lead(96)+sigs(1284)+pad(4)+data(153008)
D: Actual size: 154392
/tmp/vsftpd-2.2.2-11.el6.x86_64.rpm:
Header V3 RSA/SHA256 Signature, key ID fd431d51: OK
Header SHA1 digest: OK (8a138ba815b97261bb219862aa693cb71997716c)
V3 RSA/SHA256 Signature, key ID fd431d51: OK
MD5 digest: OK (c15108a9cdc65ef530c45309fec98c63)
D: closed db index /var/lib/rpm/Name
D: closed db index /var/lib/rpm/Packages
D: closed db environment /var/lib/rpm
[root@localhost rpm-gpg]#
Above output of both commands show that Package Signature ID is available and package integrity is OK. That means it is a genuine package so you can go ahead with installation and use as per your requirement.
Command to check available GPG-Keys
[root@localhost rpm-gpg]# rpm -qa |grep gpg
gpgme-1.1.8-3.el6.x86_64
gpg-pubkey-2fa658e0-45700c69
libgpg-error-1.7-4.el6.x86_64
pygpgme-0.1-18.20090824bzr68.el6.x86_64
gpg-pubkey-fd431d51-4ae0493b
[root@localhost rpm-gpg]#
Command to remove signature key if not required
[root@localhost rpm-gpg]# rpm -e gpg-pubkey-2fa658e0-45700c69
[root@localhost rpm-gpg]# rpm -e gpg-pubkey-fd431d51-4ae0493b
[root@localhost rpm-gpg]# rpm -qa |grep gpg
gpgme-1.1.8-3.el6.x86_64
libgpg-error-1.7-4.el6.x86_64
pygpgme-0.1-18.20090824bzr68.el6.x86_64
[root@localhost rpm-gpg]#
2. Verify rpm integrity using yum
[root@localhost tmp]# yum list vsftpd
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repository 'my' is missing name in configuration, using id
Repository 'extra' is missing name in configuration, using id
extra | 1.5 kB 00:00 ...
my | 3.9 kB 00:00 ...
Available Packages
vsftpd.x86_64 2.2.2-11.el6_4.1 extra
[root@localhost tmp]#
[root@localhost rpm-gpg]# vim /etc/yum.repos.d/my.repo
[my]
baseurl=file:///media/RHEL_6.4\ x86_64\ Disc\ 1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
How to check rpm integrity?
How to check rpm authenticity?
How to check rpm digital signature?
What is gpgcheck?
Let's take an example of below rpm package and see, how to verify if it is a genuine package?
[root@localhost tmp]# ls -l vsftpd-2.2.2-11.el6.x86_64.rpm
-r--r--r--. 1 root root 154392 Jan 27 10:27 vsftpd-2.2.2-11.el6.x86_64.rpm
[root@localhost tmp]#
There are multiple way to verify.
1. Verify using rpm
[root@localhost tmp]# rpm -q vsftpd
package vsftpd is not installed
[root@localhost tmp]#
[root@localhost tmp]# rpm -K vsftpd-2.2.2-11.el6.x86_64.rpm
vsftpd-2.2.2-11.el6.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#fd431d51)
[root@localhost tmp]#
If you want to see more details then use below options
[root@localhost tmp]# rpm -vvK vsftpd-2.2.2-11.el6.x86_64.rpm
D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key
D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key
D: loading keyring from rpmdb
D: opening db environment /var/lib/rpm cdb:mpool:joinenv
D: opening db index /var/lib/rpm/Packages rdonly mode=0x0
D: locked db index /var/lib/rpm/Packages
D: opening db index /var/lib/rpm/Name rdonly mode=0x0
D: Expected size: 154392 = lead(96)+sigs(1284)+pad(4)+data(153008)
D: Actual size: 154392
vsftpd-2.2.2-11.el6.x86_64.rpm:
Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Header SHA1 digest: OK (8a138ba815b97261bb219862aa693cb71997716c)
V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
MD5 digest: OK (c15108a9cdc65ef530c45309fec98c63)
D: closed db index /var/lib/rpm/Name
D: closed db index /var/lib/rpm/Packages
D: closed db environment /var/lib/rpm
[root@localhost tmp]#
Above output of both commands show that Package Signature ID is available but the key to verify rpm is not available.
All the Signature keys provided by Red Hat are stored in below directory
[root@localhost tmp]# cd /etc/pki/rpm-gpg/[root@localhost rpm-gpg]# ls
RPM-GPG-KEY-redhat-beta RPM-GPG-KEY-redhat-legacy-former RPM-GPG-KEY-redhat-legacy-release RPM-GPG-KEY-redhat-legacy-rhx RPM-GPG-KEY-redhat-release
[root@localhost rpm-gpg]#
So import the main GPG-KEY
[root@localhost rpm-gpg]# rpm --import RPM-GPG-KEY-redhat-release
[root@localhost rpm-gpg]# rpm -K /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm/tmp/vsftpd-2.2.2-11.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
[root@localhost rpm-gpg]#
[root@localhost rpm-gpg]# rpm -vvK /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm
D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key
D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key
D: loading keyring from rpmdb
D: opening db environment /var/lib/rpm cdb:mpool:joinenv
D: opening db index /var/lib/rpm/Packages rdonly mode=0x0
D: locked db index /var/lib/rpm/Packages
D: opening db index /var/lib/rpm/Name rdonly mode=0x0
D: read h# 1113 Header sanity check: OK
D: added key gpg-pubkey-fd431d51-4ae0493b to keyring
D: read h# 1114 Header sanity check: OK
D: added key gpg-pubkey-2fa658e0-45700c69 to keyring
D: Using legacy gpg-pubkey(s) from rpmdb
D: Expected size: 154392 = lead(96)+sigs(1284)+pad(4)+data(153008)
D: Actual size: 154392
/tmp/vsftpd-2.2.2-11.el6.x86_64.rpm:
Header V3 RSA/SHA256 Signature, key ID fd431d51: OK
Header SHA1 digest: OK (8a138ba815b97261bb219862aa693cb71997716c)
V3 RSA/SHA256 Signature, key ID fd431d51: OK
MD5 digest: OK (c15108a9cdc65ef530c45309fec98c63)
D: closed db index /var/lib/rpm/Name
D: closed db index /var/lib/rpm/Packages
D: closed db environment /var/lib/rpm
[root@localhost rpm-gpg]#
Above output of both commands show that Package Signature ID is available and package integrity is OK. That means it is a genuine package so you can go ahead with installation and use as per your requirement.
Command to check available GPG-Keys
[root@localhost rpm-gpg]# rpm -qa |grep gpg
gpgme-1.1.8-3.el6.x86_64
gpg-pubkey-2fa658e0-45700c69
libgpg-error-1.7-4.el6.x86_64
pygpgme-0.1-18.20090824bzr68.el6.x86_64
gpg-pubkey-fd431d51-4ae0493b
[root@localhost rpm-gpg]#
Command to remove signature key if not required
[root@localhost rpm-gpg]# rpm -e gpg-pubkey-2fa658e0-45700c69
[root@localhost rpm-gpg]# rpm -e gpg-pubkey-fd431d51-4ae0493b
[root@localhost rpm-gpg]# rpm -qa |grep gpg
gpgme-1.1.8-3.el6.x86_64
libgpg-error-1.7-4.el6.x86_64
pygpgme-0.1-18.20090824bzr68.el6.x86_64
[root@localhost rpm-gpg]#
[root@localhost tmp]# yum list vsftpd
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Repository 'my' is missing name in configuration, using id
Repository 'extra' is missing name in configuration, using id
extra | 1.5 kB 00:00 ...
my | 3.9 kB 00:00 ...
Available Packages
vsftpd.x86_64 2.2.2-11.el6_4.1 extra
[root@localhost tmp]#
[root@localhost rpm-gpg]# vim /etc/yum.repos.d/my.repo
[my]
baseurl=file:///media/RHEL_6.4\ x86_64\ Disc\ 1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
As of now there is no gpg key imported but as soon a you try to install any package at first time same will be imported.
[root@localhost rpm-gpg]# rpm -qa |grep gpg
gpgme-1.1.8-3.el6.x86_64
libgpg-error-1.7-4.el6.x86_64
pygpgme-0.1-18.20090824bzr68.el6.x86_64
[root@localhost rpm-gpg]#
[root@localhost rpm-gpg]# yum inall vsftpd
...........................
Total download size: 151 k
Installed size: 331 k
Is this ok [y/N]: y
Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0xFD431D51:
Userid : Red Hat, Inc. (release key 2) <security@redhat.com>
Package: redhat-release-server-6Server-6.4.0.4.el6.x86_64 (@anaconda-RedHatEnterpriseLinux-201301301459.x86_64/6.4)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Importing GPG key 0x2FA658E0:
Userid : Red Hat, Inc. (auxiliary key) <security@redhat.com>
Package: redhat-release-server-6Server-6.4.0.4.el6.x86_64 (@anaconda-RedHatEnterpriseLinux-201301301459.x86_64/6.4)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
Installing : vsftpd-2.2.2-11.el6_4.1.x86_64 1/1
Verifying : vsftpd-2.2.2-11.el6_4.1.x86_64 1/1
Installed:
vsftpd.x86_64 0:2.2.2-11.el6_4.1
Complete!
[root@localhost rpm-gpg]#
Also just adding to it, before install any package we must check pre and post install scripts as well. Some times an additional code of lines may added in it.
How to check-
[root@localhost ~]# rpm -qi --scripts /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm
package /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm is not installed
[root@localhost ~]#
-q option doesn't work if package is not installed, so we have to use -p option for the same.
[root@localhost ~]# rpm -pqi --scripts /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm
Name : vsftpd Relocations: (not relocatable)
Version : 2.2.2 Vendor: Red Hat, Inc.
Release : 11.el6 Build Date: Fri 02 Mar 2012 06:12:21 PM IST
Install Date: (not installed) Build Host: x86-001.build.bos.redhat.com
Group : System Environment/Daemons Source RPM: vsftpd-2.2.2-11.el6.src.rpm
Size : 339284 License: GPLv2 with exceptions
Signature : RSA/8, Wed 09 May 2012 04:03:40 PM IST, Key ID 199e2f91fd431d51
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://vsftpd.beasts.org/
Summary : Very Secure Ftp Daemon
Description :
vsftpd is a Very Secure FTP daemon. It was written completely from
scratch.
postinstall scriptlet (using /bin/sh):
/sbin/chkconfig --add vsftpd
preuninstall scriptlet (using /bin/sh):
if [ $1 = 0 ]; then
/sbin/service vsftpd stop > /dev/null 2>&1
/sbin/chkconfig --del vsftpd
fi
[root@localhost ~]#
If rpm is already installed and keen to know about information of any package and pre/post install scripts.
[root@localhost ~]# rpm -qi --scripts <package name>
[root@localhost ~]# rpm -qi --scripts setup
Name : setup Relocations: (not relocatable)
Version : 2.8.14 Vendor: Red Hat, Inc.
Release : 20.el6 Build Date: Tue 02 Oct 2012 07:23:59 PM IST
Install Date: Mon 03 Dec 2018 05:51:17 PM IST Build Host: ppc-007.build.bos.redhat.com
Group : System Environment/Base Source RPM: setup-2.8.14-20.el6.src.rpm
Size : 665890 License: Public Domain
Signature : RSA/8, Tue 09 Oct 2012 11:57:56 AM IST, Key ID 199e2f91fd431d51
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : https://fedorahosted.org/setup/
Summary : A set of system configuration and setup files
Description :
The setup package contains a set of important system configuration and
setup files, such as passwd, group, and profile.
postinstall scriptlet (using <lua>):
for i, name in ipairs({"passwd", "shadow", "group", "gshadow"}) do
os.remove("/etc/"..name..".rpmnew")
end
[root@localhost ~]#
So what should be the correct approach to install a package in a system-
1.Check rpm signature
[root@localhost ~]# rpm -K /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm
/tmp/vsftpd-2.2.2-11.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
[root@localhost ~]#
We can see that md5 OK status but still we should not install the package because it may be that accidentally/somehow you have imported an untrusted gpg.
2. Check pre/post install script
[root@localhost ~]# rpm -pq --scripts /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm
postinstall scriptlet (using /bin/sh):
/sbin/chkconfig --add vsftpd
preuninstall scriptlet (using /bin/sh):
if [ $1 = 0 ]; then
/sbin/service vsftpd stop > /dev/null 2>&1
/sbin/chkconfig --del vsftpd
fi
[root@localhost ~]#
If both the checks are OK then only we should proceed with the installation.
Also just adding to it, before install any package we must check pre and post install scripts as well. Some times an additional code of lines may added in it.
How to check-
[root@localhost ~]# rpm -qi --scripts /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm
package /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm is not installed
[root@localhost ~]#
-q option doesn't work if package is not installed, so we have to use -p option for the same.
[root@localhost ~]# rpm -pqi --scripts /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm
Name : vsftpd Relocations: (not relocatable)
Version : 2.2.2 Vendor: Red Hat, Inc.
Release : 11.el6 Build Date: Fri 02 Mar 2012 06:12:21 PM IST
Install Date: (not installed) Build Host: x86-001.build.bos.redhat.com
Group : System Environment/Daemons Source RPM: vsftpd-2.2.2-11.el6.src.rpm
Size : 339284 License: GPLv2 with exceptions
Signature : RSA/8, Wed 09 May 2012 04:03:40 PM IST, Key ID 199e2f91fd431d51
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://vsftpd.beasts.org/
Summary : Very Secure Ftp Daemon
Description :
vsftpd is a Very Secure FTP daemon. It was written completely from
scratch.
postinstall scriptlet (using /bin/sh):
/sbin/chkconfig --add vsftpd
preuninstall scriptlet (using /bin/sh):
if [ $1 = 0 ]; then
/sbin/service vsftpd stop > /dev/null 2>&1
/sbin/chkconfig --del vsftpd
fi
[root@localhost ~]#
If rpm is already installed and keen to know about information of any package and pre/post install scripts.
[root@localhost ~]# rpm -qi --scripts <package name>
[root@localhost ~]# rpm -qi --scripts setup
Name : setup Relocations: (not relocatable)
Version : 2.8.14 Vendor: Red Hat, Inc.
Release : 20.el6 Build Date: Tue 02 Oct 2012 07:23:59 PM IST
Install Date: Mon 03 Dec 2018 05:51:17 PM IST Build Host: ppc-007.build.bos.redhat.com
Group : System Environment/Base Source RPM: setup-2.8.14-20.el6.src.rpm
Size : 665890 License: Public Domain
Signature : RSA/8, Tue 09 Oct 2012 11:57:56 AM IST, Key ID 199e2f91fd431d51
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : https://fedorahosted.org/setup/
Summary : A set of system configuration and setup files
Description :
The setup package contains a set of important system configuration and
setup files, such as passwd, group, and profile.
postinstall scriptlet (using <lua>):
for i, name in ipairs({"passwd", "shadow", "group", "gshadow"}) do
os.remove("/etc/"..name..".rpmnew")
end
[root@localhost ~]#
So what should be the correct approach to install a package in a system-
1.Check rpm signature
[root@localhost ~]# rpm -K /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm
/tmp/vsftpd-2.2.2-11.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
[root@localhost ~]#
We can see that md5 OK status but still we should not install the package because it may be that accidentally/somehow you have imported an untrusted gpg.
2. Check pre/post install script
[root@localhost ~]# rpm -pq --scripts /tmp/vsftpd-2.2.2-11.el6.x86_64.rpm
postinstall scriptlet (using /bin/sh):
/sbin/chkconfig --add vsftpd
preuninstall scriptlet (using /bin/sh):
if [ $1 = 0 ]; then
/sbin/service vsftpd stop > /dev/null 2>&1
/sbin/chkconfig --del vsftpd
fi
[root@localhost ~]#
If both the checks are OK then only we should proceed with the installation.
Comments
Post a Comment
Please share your experience.....