资讯专栏INFORMATION COLUMN

上云采购季!| 爆款云服务器低至4.6元/月,首单享0.9折

免费试用
首页/文章专栏/深入理解Yum的gpgcheck

深入理解Yum的gpgcheck

MycLambert / 1962人阅读

摘要:深入理解的学习教程实验测试创建私有库上传未签名的包至添加构建索引查询安装安装失败加签名

深入理解 Yum 的 gpgcheck 学习教程

Secure distribution of RPM packages

实验测试 gpg

创建私有库 privateRepo

mkdir /home/privateRepo/

上传未签名的 rpm 包至/home/privateRepo/

rpm -pqi /home/privateRepo/jdk-10.0.1_linux-x64_bin.rpm

Name        : jdk-10.0.1                   Relocations: /usr/java
Version     : 10.0.1                            Vendor: Oracle America
Release     : ga                            Build Date: Tue 27 Mar 2018 01:24:18 AM GMT
Install Date: (not installed)               Build Host: sca00ida.us.oracle.com
Group       : Development/Tools             Source RPM: jdk-10.0.1-10.0.1-ga.src.rpm
Size        : 578524676                        License: http://java.com/license
Signature   : (none)
URL         : URL_REF
Summary     : Java Platform Standard Edition Development Kit
Description :
The Java Platform Standard Edition Development Kit (JDK) includes both
the runtime environment (Java Virtual Machine, the Java platform classes
and supporting files) and development tools (compilers, debuggers,

添加 gpgcheck

vi /etc/yum.repos.d/privateRepo.repo

[privateRepo]
name=privateRepo-gpg-test
baseurl=file:///home/privateRepo
enabled=1
gpgcheck=1

构建索引

createrepo /home/privateRepo/
Spawning worker 0 with 1 pkgs
Workers Finished
Gathering worker results

Saving Primary metadata
Saving file lists metadata
Saving other metadata
Generating sqlite DBs
Sqlite DBs complete

yum 查询

yum clean all
yum list|grep jdk

jdk-10.0.1.x86_64                2000:10.0.1-ga              privateRepo

安装 jdk-10.0.1.x86_64

yum install jdk-10.0.1.x86_64
Loaded plugins: fastestmirror, post-transaction-actions
Setting up Install Process
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package jdk-10.0.1.x86_64 2000:10.0.1-ga will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================
Package                          Arch                         Version                              Repository                         Size
============================================================================================================================================
Installing:
jdk-10.0.1                       x86_64                       2000:10.0.1-ga                       privateRepo                       306 M

Transaction Summary
============================================================================================================================================
Install       1 Package(s)

Total download size: 306 M
Installed size: 552 M
Is this ok [y/N]: y
Downloading Packages:

Package jdk-10.0.1_linux-x64_bin.rpm is not signed

安装失败

加签名

gpg --list-keys
/home/nobody/.gnupg/pubring.gpg
-------------------------------
pub   2048R/230C0099 2016-03-15
uid                  Gavin Ni 
sub   2048R/3E679AEF 2016-03-15
gpg --export -a guani@cisco.com > /home/nobody/privateRepo.key
rpm --define "_gpg_name Gavin Ni" --define "_gpg_path /home/nobody/.gnupg" --addsign /home/privateRepo/jdk-10.0.1_linux-x64_bin.rpm
Enter pass phrase:
gpg: WARNING: unsafe ownership on homedir `/home/nobody/.gnupg"
Pass phrase is good.
/home/privateRepo/jdk-10.0.1_linux-x64_bin.rpm:
gpg: WARNING: unsafe ownership on homedir `/home/nobody/.gnupg"
gpg: WARNING: unsafe ownership on homedir `/home/nobody/.gnupg"

验证 sign

rpm -pqi /home/privateRepo/jdk-10.0.1_linux-x64_bin.rpm
Name        : jdk-10.0.1                   Relocations: /usr/java
Version     : 10.0.1                            Vendor: Oracle America
Release     : ga                            Build Date: Tue 27 Mar 2018 01:24:18 AM GMT
Install Date: (not installed)               Build Host: sca00ida.us.oracle.com
Group       : Development/Tools             Source RPM: jdk-10.0.1-10.0.1-ga.src.rpm
Size        : 578524676                        License: http://java.com/license
Signature   : RSA/SHA1, Thu 30 Aug 2018 03:30:08 AM GMT, Key ID 952e62c3230c0099
URL         : URL_REF
Summary     : Java Platform Standard Edition Development Kit
Description :
The Java Platform Standard Edition Development Kit (JDK) includes both
the runtime environment (Java Virtual Machine, the Java platform classes
and supporting files) and development tools (compilers, debuggers,
tool libraries and other tools).

安装,不过安装失败

yum install jdk-10.0.1.x86_64
Loaded plugins: fastestmirror, post-transaction-actions
Setting up Install Process
Loading mirror speeds from cached hostfile
qa_mav_centos6                                                                                                       | 1.2 kB     00:00
qa_mav_centos6.7_noarch                                                                                              | 1.2 kB     00:00
qa_mav_centos6.7_x86_64                                                                                              | 1.2 kB     00:00
Resolving Dependencies
--> Running transaction check
---> Package jdk-10.0.1.x86_64 2000:10.0.1-ga will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================
Package                          Arch                         Version                              Repository                         Size
============================================================================================================================================
Installing:
jdk-10.0.1                       x86_64                       2000:10.0.1-ga                       privateRepo                       306 M

Transaction Summary
============================================================================================================================================
Install       1 Package(s)

Total download size: 306 M
Installed size: 552 M
Is this ok [y/N]: y
Downloading Packages:
Error Downloading Packages:2000:jdk-10.0.1-10.0.1-ga.x86_64: failure: jdk-10.0.1_linux-x64_bin.rpm from privateRepo: [Errno 256] No more mirrors to try.

需要重新 createrepo

createrepo /home/privateRepo/

仍然安装失败

  [root@mtRobincmc001 yum.repos.d]# yum install jdk-10.0.1.x86_64
  Loaded plugins: fastestmirror, post-transaction-actions
  Setting up Install Process
  Loading mirror speeds from cached hostfile
  qa_mav_centos6                                                                                                       | 1.2 kB     00:00
  qa_mav_centos6.7_noarch                                                                                              | 1.2 kB     00:00
  qa_mav_centos6.7_x86_64                                                                                              | 1.2 kB     00:00
  Resolving Dependencies
  --> Running transaction check
  ---> Package jdk-10.0.1.x86_64 2000:10.0.1-ga will be installed
  --> Finished Dependency Resolution
  Dependencies Resolved
  Package                          Arch                         Version                              Repository                         Size
  ============================================================================================================================================
  Installing:
  jdk-10.0.1                       x86_64                       2000:10.0.1-ga                       privateRepo                       306 M

  Transaction Summary
  ============================================================================================================================================
  Install       1 Package(s)

  Total download size: 306 M
  Installed size: 552 M
  Is this ok [y/N]: y
  Downloading Packages:
  jdk-10.0.1_linux-x64_bin.rpm                                                                                         | 306 MB     00:04
  warning: rpmts_HdrFromFdno: Header V4 RSA/SHA1 Signature, key ID 230c0099: NOKEY
  Public key for jdk-10.0.1_linux-x64_bin.rpm is not installed

导入public key

gpg --export -a rpmsign@example.com > /home/privateRepo/example-com.key

yum添加gpgkey

[privateRepo]
name=privateRepo-gpg-test
baseurl=file:///home/privateRepo
enabled=1
gpgcheck=1
gpgkey=file:///home/privateRepo/privateRepo.key

再次安装,安装成功

root@mtRobincmc001 ~]# yum install jdk
Loaded plugins: fastestmirror, post-transaction-actions
Setting up Install Process
Loading mirror speeds from cached hostfile
qa_mav_centos6                                                                                                       | 1.2 kB     00:00
qa_mav_centos6.7_noarch                                                                                              | 1.2 kB     00:00
qa_mav_centos6.7_x86_64                                                                                              | 1.2 kB     00:00
Resolving Dependencies
--> Running transaction check
---> Package jdk-10.0.1.x86_64 2000:10.0.1-ga will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================
Package                          Arch                         Version                              Repository                         Size
============================================================================================================================================
Installing:
jdk-10.0.1                       x86_64                       2000:10.0.1-ga                       privateRepo                       306 M

Transaction Summary
============================================================================================================================================
Install       1 Package(s)

Total download size: 306 M
Installed size: 552 M
Is this ok [y/N]: y
Downloading Packages:
jdk-10.0.1_linux-x64_bin.rpm                                                                                         | 306 MB     00:03
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 2000:jdk-10.0.1-10.0.1-ga.x86_64                                                                                         1/1
Unpacking JAR files...
  plugin.jar...
  javaws.jar...
  deploy.jar...
cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/16x16/apps/sun-java.png": No such file or directory
cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/16x16/apps/sun-javaws.png": No such file or directory
cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/48x48/apps/sun-java.png": No such file or directory
cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/48x48/apps/sun-javaws.png": No such file or directory
cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/48x48/apps/sun-java.png": No such file or directory
cp: cannot stat `/usr/java/jdk-10.0.1/lib/desktop/icons/hicolor/48x48/apps/sun-javaws.png": No such file or directory
Running post transaction command: /opt/mav/bin/mav-event "yum_event" "install jdk-10.0.1-10.0.1-ga.x86_64 @ %DTE% from privateRepo 2000"
  Verifying  : 2000:jdk-10.0.1-10.0.1-ga.x86_64                                                                                         1/1

Installed:
  jdk-10.0.1.x86_64 2000:10.0.1-ga

Complete!

总结

/etc/yum.repos.d/privateRepo.repo 作用域为 yum 客户端

privateRepo.repo 中的 gpgcheck=1 只影响 install 环节,不影响服务器端的索引建立(createrepo),不过 加签后,需要重新 createrepo

安全的 RPM 私有库

用 https 下载 RPM

用 gpg 给 RPM 加签

确保 gpgcheck=1

用 https 下载 gpg 的公钥 public key

超融合服务器 服务器托管 深入理解系列 深入理解linux 深入理解webrtc 深入理解python

文章版权归作者所有,未经允许请勿转载,若此文章存在违规行为,您可以联系管理员删除。

转载请注明本文地址:https://www.ucloud.cn/yun/33609.html

相关文章

  • CentOS 升级 Bash --- 修复破壳漏洞

    摘要:因为很多公司都有自己的源,所以直接配置其他的源升级的话是不允许的,为了能方便的升级,并且安全的测试,先拿一台测试机做测试。 因为很多公司都有自己的 yum 源,所以直接配置其他的 yum 源升级的话是不允许的,为了能方便的升级,并且安全的测试,先拿一台测试机做测试。 CentOS 的修复方案 安装 yum 插件 yum-downloadonly 注: yum-downloa...

    zzir 评论0 收藏0

  • CentOS 升级 Bash --- 修复破壳漏洞

    摘要:因为很多公司都有自己的源,所以直接配置其他的源升级的话是不允许的,为了能方便的升级,并且安全的测试,先拿一台测试机做测试。 因为很多公司都有自己的 yum 源,所以直接配置其他的 yum 源升级的话是不允许的,为了能方便的升级,并且安全的测试,先拿一台测试机做测试。 CentOS 的修复方案 安装 yum 插件 yum-downloadonly 注: yum-downloa...

    Vixb 评论0 收藏0

  • Linux 软件安装管理

    摘要:文章内容来自一命令管理命名规则安装命令包全名选项安装显示详细信息显示进度不检测依赖性这个作用不大升级与卸载升级包全名选项卸载包名卸载,普通卸载,考虑到依赖性,可能会报错包名强制卸载,不考虑依赖性选项卸载不检查依 文章内容来自 一、rpm 命令管理 1. rpm 命名规则 showImg(https://segmentfault.com/img/bVDYYJ?w=697&h=394); ...

    bang590 评论0 收藏0

  • Linux 软件安装管理

    摘要:文章内容来自一命令管理命名规则安装命令包全名选项安装显示详细信息显示进度不检测依赖性这个作用不大升级与卸载升级包全名选项卸载包名卸载,普通卸载,考虑到依赖性,可能会报错包名强制卸载,不考虑依赖性选项卸载不检查依 文章内容来自 一、rpm 命令管理 1. rpm 命名规则 showImg(https://segmentfault.com/img/bVDYYJ?w=697&h=394); ...

    Terry_Tai 评论0 收藏0

  • CentOS 7 升级 gcc

    摘要:我们在需要升级的版本。但是为了软件的稳定和版本支持,上版本也是,所以无法使用进行软件更新,需要安装源升级。更换国内镜像源执行替换命令将软件仓库地址替换为国内镜像地址。Centos7 gcc 版本默认 4.8.5,而有些软件(例如:Redis6、Mariadb10 等)的编译安装需要最低支持 c++11 的 gcc 5.x 版本。我们在需要升级 gcc 的版本。但是 Red Hat 为了软件的...

    Tecode 评论0 收藏0

发表评论

登陆后可评论

0条评论

MycLambert

|高级讲师
我要私信

TA的文章

阅读更多

云社区相关服务

提问 提问 学习 学习 认证 认证 产品 产品 技术服务 技术服务 售前咨询 售前咨询
最新活动
阅读需要支付1元查看
<