0237-0240.html

来自「linux-unix130.linux.and.unix.ebooks130 l」· HTML 代码 · 共 275 行

<HTML>
<HEAD>
<TITLE>Maximum RPM (RPM):Adding PGP Signatures to a Package:EarthWeb Inc.-</TITLE>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<SCRIPT>
<!--
function displayWindow(url, width, height) {
        var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>

 -->


<!-- ISBN=0672311054 //-->
<!-- TITLE=Maximum RPM (RPM)//-->
<!-- AUTHOR=Edward Bailey//-->
<!-- PUBLISHER=Macmillan Computer Publishing//-->
<!-- IMPRINT=Sams//-->
<!-- CHAPTER=17 //-->
<!-- PAGES=0237-0246 //-->
<!-- UNASSIGNED1 //-->
<!-- UNASSIGNED2 //-->




<P><CENTER>
<a href="../ch16/0235-0236.html">Previous</A> | <a href="../ewtoc.html">Table of Contents</A> | <a href="0241-0244.html">Next</A>
</CENTER></P>

<A NAME="PAGENUM-237"><P>Page 237</P></A>



<H3><A NAME="ch17_ 1">
Chapter 17
</A></H3>

<H2>

Adding PGP Signatures to <BR>a Package

</H2>


<A NAME="PAGENUM-238"><P>Page 238</P></A>


<P>In this chapter, we'll explore the steps required to add a digital signature to a package using
the software known as Pretty Good Privacy, or PGP. If you've used PGP before, you
probably know everything you'll need to start signing packages in short order.
</P>

<P>On the other hand, if you feel you need a bit more information on PGP before starting,
see Appendix G, &quot;An Introduction to PGP,&quot; for a brief introduction. When you feel
comfortable with PGP, come on back and learn how easy signing packages is.
</P>

<H3><A NAME="ch17_ 2">
17.1. Why Sign a Package?
</A></H3>

<P>The reason for signing a package is to provide authentication. With a signed package, it's
possible for your user community to verify that the package they have was in your possession
at some time and has not been changed since then. That &quot;not changed&quot; part is also a good
reason to sign your packages, because digital signatures are a very robust way to guard against
any modifications to the package.
</P>

<P>Of course, as with anything else in life, adding a digital signature to a package isn't an
ironclad guarantee that everything is right with the package, but it's about as sure a thing as humans
can make it.
</P>

<H3><A NAME="ch17_ 3">
17.2. Getting Ready to Sign
</A></H3>

<P>Okay, we've convinced you that signing packages is a good idea. Now we've got to make
sure PGP and RPM are up to the task. As you might imagine, there are two parts to this
process: one for PGP, and one for RPM. Let's get PGP ready first.
</P>

<H4><A NAME="ch17_ 4">
17.2.1. Preparing PGP: Creating a Key Pair
</A></H4>

<P>There is really very little to be done to PGP, assuming it's been installed properly. The
only thing required is to generate a key pair. As mentioned in our mini-primer on PGP, the key
pair consists of a secret key and a public key. In terms of signing packages, you will use your
secret key to do the actual signing. Anyone interested in checking your signature will need your
public key.
</P>

<P>Creating a key pair is quite simple. All that's required is to issue a
pgp -kg command, enter some information, and create some random bits. Here's a
sample key-generating session:
</P>

<!-- CODE //-->
<PRE>
# pgp -kg
Pretty Good Privacy(tm) 2.6.3a - Public-key encryption for the masses.
(c) 1990-96 Philip Zimmermann, Phil's Pretty Good Software. 1996-03-04
Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
Distributed by the Massachusetts Institute of Technology.
Export of this software may be restricted by the U.S. government.
Current time: 1996/10/31 00:42 GMT

</PRE>
<!-- END CODE //-->

<A NAME="PAGENUM-239"><P>Page 239</P></A>

<!-- CODE //-->
<PRE>


Pick your RSA key size:
1) 512  bits- Low commercial grade, fast but less secure
2) 768  bits- High commercial grade, medium speed, good security
3)  1024  bits- &quot;Military&quot; grade, slow, highest security

Choose 1, 2, or 3, or enter desired number of bits: 3
Generating an RSA key with a 1024-bit modulus.

You need a user ID for your public key. The desired form for this
user ID is your name, followed by your E-mail address enclosed in
&lt;angle brackets&gt;, if you have an E-mail address.
For example: John Q. Smith &lt;12345.6789@compuserve.com&gt;
Enter a user ID for your public key:

Example Key for RPM Book
You need a pass phrase to protect your RSA secret key.
Your pass phrase can be any sentence or phrase and may have many
words, spaces, punctuation, or any other printable characters.

Enter  pass  phrase:  &lt;passphrase&gt;  (Not echoed)
Enter  same  pass  phrase  again: &lt;passphrase&gt; (Still not echoed)

Note that key generation is a lengthy process.

We need to generate 952 random bits. This is done by measuring the
time intervals between your keystrokes. Please enter some random text
on your keyboard until you hear the beep:

(Many random characters were entered)

0 * -Enough, thank you.
............................................
................................**** ...****
Pass phrase is good. Just a moment....
Key signature certificate added.
Key generation completed.
#
</PRE>
<!-- END CODE //-->

<P>Let's review each of the times PGP required information. The first thing PGP needed to
know was the key size we wanted. Depending on your level of paranoia, simply choose an
appropriate key size. In our example, we chose the &quot;They're out to get me&quot; key size of 1,024 bits.
</P>

<P>Next, we needed to choose a user ID for the key. The user ID should be descriptive and
should also include sufficient information for someone to contact you. We entered
Example Key for RPM Book, which goes against this suggestion but is sufficient for the purposes of our example.
</P>

<P>After entering a user ID, we needed to add a passphrase. The passphrase is used to protect
your secret key, so it should be something difficult for someone else to guess. It should also be
memorable for you, because if you forget your passphrase, you won't be able to use your secret key!
I entered a couple words and numbers, put together in such a way that no one could ever
guess I typed rpm2kool4words&#133;.Oops!
</P>

<A NAME="PAGENUM-240"><P>Page 240</P></A>



<P>The passphrase is entered twice to ensure that no typing mistakes were made. PGP also
performs some cursory checks on the passphrase, ensuring that the phrase is at least
somewhat secure.
</P>

<P>Finally comes the strangest part of the key-generation process: creating random bits. This
is done by measuring the time between keystrokes. The secret here is to not hold down a key
so that it auto-repeats and to not wait several seconds between keystrokes.
Simply start typing anything (even nonsense text) until PGP tells you you've typed enough.
</P>

<P>After generating enough random bits, PGP takes a minute or so to create the key pair.
Assuming that everything completed successfully, you'll see an ending message similar to the one
shown in this example. You'll also find, in a subdirectory of your login directory called
.pgp, the following files:
</P>

<!-- CODE //-->
<PRE>
# ls -al ~ /.pgp
total 6
drwxr-xr-x    2 root    root       1024 Oct 30 19:44 .
drwxr-xr-x    5 root    root       1024 Oct 30 19:44 ..
-rw------    1 root    root        176 Oct 30 19:44 pubring.bak
-rw------    1 root    root        331 Oct 30 19:44 pubring.pgp
-rw------    1 root    root        408 Oct 30 19:44 randseed.bin
-rw------    1 root    root        509 Oct 30 19:44 secring.pgp
#
</PRE>
<!-- END CODE //-->

<P>Those of you interested in learning exactly what each file is can consult any of the fine
books on PGP. For the purposes of signing packages, all you need to know is where these files
are located.
</P>

<P>That's it! Now it's time to configure RPM to use your newly generated key.
</P>

<H4><A NAME="ch17_ 5">
17.2.2. Preparing RPM
</A></H4>

<P>RPM's configuration process is quite straightforward. It simply consists of adding a few
rpmrc entries in a file of your choice. For more information on
rpmrc files in general, see Appendix B, &quot;The
rpmrc File.&quot;
</P>

<P>The entries that need to be added to an rpmrc file are
</P>

<UL>
<LI>          signature
<LI>          pgp_name
<LI>          pgp_path
</UL>

<P>Let's check out the entries:
</P>

<UL>
<LI>     
signature&#151;The signature entry is used to select the type of signature that RPM is
to use. At the time this book is being written, the only legal value is
pgp. So you would enter
<!-- CODE SNIP //-->
<PRE>
signature: pgp
</PRE>
<!-- END CODE SNIP //-->
</UL>

<P><CENTER>
<a href="../ch16/0235-0236.html">Previous</A> | <a href="../ewtoc.html">Table of Contents</A> | <a href="0241-0244.html">Next</A>
</CENTER></P>





</td>
</tr>
</table>
<!-- begin footer information -->




</body></html>