Podepisovani a kontrola RPM baliku pomoci GPG V soucasne dobe je jednoznacne nejlepsi pouzivat GPG (balicky gnupg-1.0.1-3.i386.rpm, gnupg-modules-1.1-3.i386.rpm). Pomoci dodatecnych modulu je mozno s GPG zprovoznit i algoritmy, ktere nejsou z licencnich duvodu v zakladni sade (IDEA, RSA). GPG je pomoci techto externich modulu zpetne kompatibilni jak s PGPv2, tak s PGPv5 (oboje non-free). Zakladem podepisovani je asimetricka sifra, coz znamena, ze existuje vzdy dvojice klicu (verejny a soukromy), pomoci kterych se koduje. Soukromy klic se chrani jeste frazi (ovykle delsi heslo), ktera jej chrani pred zneuzitim (i pres to by jste o nej meli dobre pecovat). Novou dvojici klicu vytvorime pomoci parametru --gen-key [huzva@monkey huzva]$ gpg --gen-key gpg (GnuPG) 1.0.1; Copyright (C) 1999 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: /home/huzva/.gnupg/secring.gpg: keyring created gpg: /home/huzva/.gnupg/pubring.gpg: keyring created Please select what kind of key you want: (1) DSA and ElGamal (default) (2) DSA (sign only) (4) ElGamal (sign and encrypt) Your selection? 1 DSA keypair will have 1024 bits. About to generate a new ELG-E keypair. minimum keysize is 768 bits default keysize is 1024 bits highest suggested keysize is 2048 bits What keysize do you want? (1024) Requested keysize is 1024 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct (y/n)? y You need a User-ID to identify your key; the software constructs the user id from Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: Rene Huzva Email address: rene.huzva@spsselib.hiedu.cz Comment: You selected this USER-ID: "Rene Huzva " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. .+++++.++++++++++.++++++++++++++++++++++++++++++++++++++++..++++++++++.+++++.+++++++++++++++.++++++++++.+++++.++++++++++.++++++++++++++++++++>++++++++++................>+++++.+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++++++++++++.++++++++++.++++++++++.++++++++++++++++++++.+++++++++++++++.+++++++++++++++...++++++++++.++++++++++.+++++++++++++++.++++++++++>+++++...............>.+++++.................<+++++.......>+++++.......<+++++.>+++++.................................................................................<+++++.>.+++++...............<.+++++...>+++++..<+++++.......+++++^^^^ public and secret key created and signed. [huzva@monkey huzva]$ Pak vytvorime konfiguracni soubor pro RPM, ktery muze vypadat treba takhle: [root@monkey /root]# cat .rpmmacros %_signature gpg %_gpg_path /root/.gnupg %_gpg_name Rena Huzva [root@monkey /root]# Balicek muzeme podepsat pri generovani nebo dodatecne. Pri dodatecnem podepisovani je rozdil mezi pridanim sveho klice (--addsign) a nahrazenim vsech soucasnych klicu svym (--resign). Pr: rpm --resig balik*.rpm rpm --addsign jiny-balik.rpm rpm -ba --sign SPEC/balik.spec Pokud chcete zverejnit svuj verejny klic, musite jej exportovat do ASCII podoby: gpg -a --export Importovat cizi verejne klice, abyste mohli kontrolovat baliky: gpg --import soubor_s_klicem A pak kontrolovat pomoci RPM: rpm -K balik.rpm -- Milan Kerslager