5.5. 启用自动化内容集合和容器签名

流程

1. 在 RHEL 服务器中运行以下命令为集合签名创建新密钥对：

   gpg --gen-key

2. 为 "Real name" 和 "Email address" 输入您的信息：

   输出示例：

   gpg --gen-key
   gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
   
   Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
   
   GnuPG needs to construct a user ID to identify your key.
   
   Real name: Joe Bloggs
   Email address: jbloggs@example.com
   You selected this USER-ID:
       "Joe Bloggs <jbloggs@example.com>"
   
   Change (N)ame, (E)mail, or (O)kay/(Q)uit? O

   • 如果此操作失败，则您的环境没有为 GPG 安装必要的先决条件软件包。安装所需的软件包以继续。
   • 这时将出现一个对话框并要求您输入密码短语。这是可选的，但推荐使用。

   • 然后生成密钥，并生成类似如下的输出：

     We need to generate a lot of random bytes. It is a good idea to perform
     some other action (type on the keyboard, move the mouse, utilize the
     disks) during the prime generation; this gives the random number
     generator a better chance to gain enough entropy.
     gpg: key 022E4FBFB650F1C4 marked as ultimately trusted
     gpg: revocation certificate stored as '/home/aapuser/.gnupg/openpgp-revocs.d/F001B037976969DD3E17A829022E4FBFB650F1C4.rev'
     public and secret key created and signed.
     
     pub   rsa3072 2024-10-25 [SC] [expires: 2026-10-25]
           F001B037976969DD3E17A829022E4FBFB650F1C4
     uid                      Joe Bloggs <jbloggs@example.com>
     sub   rsa3072 2024-10-25 [E] [expires: 2026-10-25]

   • 请注意，您可以根据公司标准和需求设置的到期日期。

3. 您可以运行以下命令来查看所有 GPG 密钥：

   gpg --list-secret-keys --keyid-format=long

4. 要导出公钥，请运行以下命令：

   gpg --export -a --output collection-signing-key.pub <email_address_used_to_generate_key>

5. 要导出私钥，请运行以下命令：

   gpg -a --export-secret-keys <email_address_used_to_generate_key> > collection-signing-key.priv

   • 如果出现提示，请输入密码短语。

6. 要查看私钥文件内容，请运行以下命令：

   cat collection-signing-key.priv

   输出示例：

   -----BEGIN PGP PRIVATE KEY BLOCK-----
   
   lQWFBGcbN14BDADTg5BsZGbSGMHypUJMuzmIffzzz4LULrZA8L/I616lzpBHJvEs
   sSN6KuKY1TcIwIDCCa/U5Obm46kurpP2Y+vNA1YSEtMJoSeHeamWMDd99f49ItBp
   
   <snippet>
   
   j920hRy/3wJGRDBMFa4mlQg=
   =uYEF
   -----END PGP PRIVATE KEY BLOCK-----

7. 重复步骤 1 到 7，以创建用于容器签名的密钥对。

8. 在清单文件中添加以下变量并运行安装来创建签名服务：

   # Collection signing
   hub_collection_signing=true
   hub_collection_signing_key=/home/aapuser/aap/ansible-automation-platform-containerized-setup-<version_number>/collection-signing-key.priv
   # This variable is required if the key is protected by a passphrase
   hub_collection_signing_pass=<password>
   
   # Container signing
   hub_container_signing=true
   hub_container_signing_key=/home/aapuser/aap/ansible-automation-platform-containerized-setup-<version_number>/container-signing-key.priv
   # This variable is required if the key is protected by a passphrase
   hub_container_signing_pass=<password>