Red Hat NETWORK SATELLITE 5.1.1 - RELEASE NOTES Uživatelský manuál stáhnout pdf (Strana 11)

Digital Signatures for RHN Packages

12. Use the RPM dependency feature to make sure the program runs after it is installed.

Important

Do not create an RPM by archiving files and then unarchiving them in the post-install script. This

defeats the purpose of RPM.

If the files in the archive are not included in the file list, they cannot be verified or examined for

conflicts. In the vast majority of cases, RPM itself can pack and unpack archives most effectively

anyway. For instance, do n't create files in a %post that you do not clean up in a %postun section.

3.2. Digital Signatures for RHN Packages

All packages distributed through RHN should have a digital signature. A digital signature is created

with a unique private key and can be verified with the corresponding public key. After creating a

package, the SRPM (Source RPM) and the RPM can be digitally signed with a GnuPG key. Before the

package is installed, the public key is used to verify the package was signed by a trusted party and the

package has not changed since it was signed.

3.2.1. Generating a GnuPG Keypair

A GnuPG keypair consists of the private and public keys. To generate a keypair type the following

command as the root user on the shell prompt:

gpg --gen-key

If you execute this command as a non-root user, you see the following message:

gpg: Warning: using insecure memory!

This message appears because non-root users cannot lock memory pages. Since you do not want

anyone else to have your private GnuPG key or your passphrase, you want to generate the keypair as

root. The root user can lock memory pages, which means the information is never written to disk.

After executing the command to generate a keypair, you see an introductory screen containing key

options similar to the following:

Foundation, Inc. This program comes with ABSOLUTELY NO

WARRANTY. This is free software, and you are welcome to

redistribute it under certain conditions. See the file COPYING

for details. Please select what kind of key you want: (1) DSA

and ElGamal (default) (2) DSA (sign only) (4) RSA (sign only)

Your selection?

Accept the default option: (1) DSA and ElGamal. This option allows you to create a digital

signature and encrypt/decrypt with two types of technologies. Type 1 and then press Enter.

Next, choose the key size, which is how long the key should be. The longer the key, the more resistant

against attacks your messages are. Creating a key of at least 1024 bits in size is recommended.

1 2 ... 6 7 8 9 10 11 12 13 14 15 16 ... 37 38

Žádné komentáře

Red Hat NETWORK SATELLITE 5.1.1 - RELEASE NOTES Uživatelský manuál Strana 11