Search
SupportConsoleDevelopersStart a trialContact

3.2. Digital Signatures for RHN Packages

download PDF
All packages distributed through RHN should have a digital signature. A digital signature is created with a unique private key and can be verified with the corresponding public key. After creating a package, the SRPM (Source RPM) and the RPM can be digitally signed with a GnuPG key. Before the package is installed, the public key is used to verify the package was signed by a trusted party and the package has not changed since it was signed.

3.2.1. Generating a GnuPG Keypair

A GnuPG keypair consists of the private and public keys. To generate a keypair:
  1. Type the following command as the root user on the shell prompt: 
    gpg --gen-key
    Executing this command as a non-root user will show the following message: 
    gpg: Warning: using insecure memory!
    This warning appears because non-root users cannot lock memory pages. Since users should not provide their private GnuPG key or passphrase to anyone else, generating a keypair as root is recommended. The root user can lock memory pages which means the information is never written to disk.
  2. After executing the command to generate a keypair, an introductory screen containing key options similar to the following will appear: 
    	gpg (GnuPG) 1.2.6; Copyright (C) 2004 Free Software
	Foundation, Inc.  This program comes with ABSOLUTELY NO
	WARRANTY. This is free software, and you are welcome to
	redistribute it under certain conditions. See the file COPYING
	for details. Please select what kind of key you want: (1) DSA
	and ElGamal (default) (2) DSA (sign only) (4) RSA (sign only)
	Your selection?
  3. Accept the default option: (1) DSA and ElGamal. This option allows you to create a digital signature and encrypt/decrypt with two types of technologies. Type 1 and then press Enter.
  4. Choose the key size, which is how long the key should be. The longer the key, the more resistant against attacks the messages are. Creating a key of at least 1024 bits in size is recommended.
  5. The next option will ask to specify how long the key needs to be valid. When choosing an expiration date, remember that anyone using the public key must also be informed of the expiration and supplied with a new public key. It is recommended to not select an expiration date. If an expiration date is not specified, you are asked to confirm your decision: 
    Key does not expire at all Is this correct (y/n)?
  6. Press y to confirm your decision.
  7. Provide a User-ID containing your name, your email address, and an optional comment. Each of these is requested individually. When finished, you are presented with a summary of the information you entered.
  8. Accept your choices and enter a passphrase.

    Note

    Like your account passwords, a good passphrase is essential for optimal security in GnuPG. Mix your passphrase with uppercase and lowercase letters, use numbers, and/or include punctuation marks.
  9. Once you enter and verify your passphrase, the keys are generated. A message similar to the following appears: 
    We need to generate a lot of random bytes. It is a good idea to perform some
other action (type on the keyboard, move the mouse, utilize the disks) 
during the prime generation; this gives the random number generator a 
better chance to gain enough entropy. 

+++++.+++++.++++++++....++++++++++..+++++.+++++.+++++++.+++++++ +++.
++++++++++++++++++++++++++++++++++++++..........................++++
    When the activity on the screen ceases, your new keys are placed in the directory .gnupg in root's home directory. This is the default location of keys generated by the root user.
To list the root keys, use the command: 
gpg --list-keys
The output is similar to the following: 
/root/.gnupg/pubring.gpg ----------------  pub 1024D/B7085C8A 2002-02-18
 Your Name<you@example.com> 
sub 1024g/E12AF9C4 2002-02-18
To retrieve the public key, use the following command: 
gpg --export -a 'Your Name' > public_key.txt
The public key is written to the file public_key.txt.
This public key is quite important. It's the key that must be deployed to all client systems that receive custom software through up2date. Techniques for deploying this key across an organization are covered in the Red Hat Network Client Configuration Guide.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.