appendix-g.html

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<HTML>
<HEAD>
<TITLE>Maximum RPM (RPM):appendix-g:EarthWeb Inc.-</TITLE>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<SCRIPT>
<!--
function displayWindow(url, width, height) {
        var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>

 -->


<!-- ISBN=0672311054 //-->
<!-- TITLE=Maximum RPM (RPM)//-->
<!-- AUTHOR=Edward Bailey//-->
<!-- PUBLISHER=Macmillan Computer Publishing//-->
<!-- IMPRINT=Sams//-->
<!-- CHAPTER=appendix-g //-->
<!-- PAGES=0417-0424 //-->
<!-- UNASSIGNED1 //-->
<!-- UNASSIGNED2 //-->


<P><CENTER>
<a href="appendix-f.html">Previous</a> | <a href="ewtoc.html">Table of Contents</a> | </CENTER></P>




<A NAME="PAGENUM-417"><P>Page 417</P></A>



<H3><A NAME="1054_ 7">
Appendix G</a></H3>

<H2>

An Introduction to PGP

</H2>


<A NAME="PAGENUM-418"><P>Page 418</P></A>


<P>Assuming you're not the curious type and haven't flipped your way back here, you are
probably here looking for some information on the program known as Pretty Good Privacy, or PGP.
</P>

<H3>
G.1. PGP: Privacy for Regular People
</H3>

<P>PGP, or Pretty Good Privacy, is a program that is intended to help make electronic mail
more secure. It does this by using a sophisticated technique known as public
key encryption.
</P>

<P>If you find yourself wondering what electronic mail and making information unreadable
by spies have to do with RPM, you have a good point. However, although PGP's claim to fame
is the handling of e-mail in total privacy, it has some other tricks up its sleeve.
</P>

<H4>
G.1.1. Keys Your Locksmith Wouldn't Understand
</H4>

<P>As mentioned earlier, PGP uses public key
encryption to do some of its magic. You might
guess from the name that this type of encryption involves keys of some sort. But, as you might
imagine, these are not keys that you can copy at the local hardware store. They are
numbers&#151;really large numbers. Here's what a key might look like (when we say that keys are numbers, we
aren't lying even though the sample key doesn't look like a number; it has been processed so that
it can be concisely displayed using only printable characters):
</P>
<!-- CODE //-->
<PRE>
----BEGIN PGP PUBLIC KEY BLOCK----
Version: 2.6.2

mQCNAzEpXjUAAAEEAKG4/V9oUSiDc9wIge6Bmg6erDGCLzmFyioAho8kDIJSrcmi
F9qTdPq+fj726pgW1iSb0Y7syZn9Y2lgQm5HkPODfNi8eWyTFSxbr8ygosLRClTP
xqHVhtInGrfZNLoSpv1LdWOme0yOpOQJnghdOMzKXpgf5g84vaUg6PHLopv5AAUR
tCpSZWQgSGF0IFNvZnR3YXJlLCBJbmMuIDxyZWRoYXRAcmVkaGF0LmNvbT6JAFUD
BRAxc0xcKO2uixUx6ZEBAQOfAfsGwmueeH3WcjngsAoZyremvyV3Q8C1YmY1EZC9
SWkQxdRKe7n2PY/WiA82Mvc+op1XGTkmqByvxM9Ax/dXh+peiQCVAwUQMXL7xiIS
axFDcvLNAQH5PAP/TdAOyVcuDkXfOPjN/TIjqKRPRt7k6Fm/ameRvzSqB0fMVHEE
5iZKi55Ep1AkBJ3wX257hvduZ/9juKSJjQNuW/FxcHazPU+7yLZmf27xIq7E0ihW
8zz9JNFWSA9+8vlCMBYwdP1a+DzVdwjbJcnOu3/Z/aCY2lYi9U45PzmtU8iJAJUD
BRAxU9GUGXO+IyM0cSUBAbWfA/9+lVfqcpFYkJIV4HuV5niVv7LW4ywxW/SftqCM
lXDXdJdoDbrvLtVYIGWeGwJ6bES6CoQiQjiW7/WaC3BY9ZITQE4hWOPQADzOnZPQ
fdkIIxuIUAUnU/YarasqvxCs5v/TygfWUTPLPSP+MqGqJcDF2UHXCiNAHrItse9M
h7etkYkAdQMFEDEp61/Nq6IpInoskQEB538C+wSIaCNNDOGxlxS5E2tClXRwMYf0
ymuKXs/srvIUjOO7xuIH4K7qcSSdI4eUwuXy6w5tWWR3xZ/XiygcLtKMi2IZIq0j
wmFq7MEk+Xp8MN7Icawkqj1/1p0p4EwKKkIU64kAlQMFEDEp6pZEcVNogr/H7QEB
jp4D/iblfiCzVTA5QhGeWOj1rRxWzohMvnngn29IJgdnN3zuQXB1/lbVV3zYciRH
NyvpynfcTcgORHNpAIxXDaZ7sd48/v7hHLarcR5kxuY0T75XOTGOKTOlFvb4XmcY
HZR2wSWSBteKezB5uK47A6uhwtvPokV0Owk9xPmBV+LPXkW4
=pnqV
----END PGP PUBLIC KEY BLOCK----
</PRE>
<!-- END CODE //-->

<P>PGP uses two different types of keys: public and private. The
public key, as its name suggests, can be shared with anyone. The key shown above is, in fact, a public key. The
private key, as its name suggests, should be kept a secret. PGP creates keys in pairs&#151;one private and one
public. A key pair must remain a pair; if one is lost, the other by itself is useless. Why? Because the
two keys have an interesting property that can be exploited in two ways:
</P>

<A NAME="PAGENUM-419"><P>Page 419</P></A>



<UL>
<LI>          A message encrypted by a given public key can only be decrypted with the
corresponding private key.
<LI>          A message encrypted by a given private key can only be decrypted with the
corresponding public key.
</UL>

<P>In the case of sending messages in total privacy, the key pairs are used in the first manner.
It allows two people to exchange private messages without first exchanging any &quot;secret
codes.&quot; The only requirement is that each know the other's public key.
</P>

<P>However, for RPM, the second method is the important one. Let's say a company needs
to send you a document and you'd like to make sure it really did come from them. If the
company first encrypted the file with its private key and sent it to you, you would have an
encrypted file you couldn't read.
</P>

<P>Or could you? If you have the company's public key, you should be able to decrypt it. In
fact, if you can't, you can be sure that the message you received did not come from them! (Or
at least that it didn't make it to you unchanged.)
</P>

<P>It is this feature that is used by RPM. By using PGP's public key encryption, it is possible
to not only prove that a package file came from a certain person or persons, but also that it
was not changed somewhere along the line.
</P>

<H4>
G.1.2. Are RPM Packages Encrypted?
</H4>

<P>In a word, no. Rather than being encrypted, RPM package files possess
digital signatures. This is a way of using encryption to attach a signature (again, basically a large number) to
some information, such that
</P>

<UL>
<LI>          The signature cannot be separated from the information. Any attempt to verify
the signature against any other information will fail.
<LI>          The signature can only be produced by one private key.
</UL>

<P>In the case of RPM, the information being signed is the contents of the
.rpm file itself.
</P>

<P>A digital signature is just like a regular signature. It doesn't obscure the contents of the
document being signed; it just provides a method of determining the authenticity of a
document. Here is an example of a digital signature turned into printable text:
</P>

<!-- CODE //-->
<PRE>
----BEGIN PGP SIGNATURE----
Version: 2.6.3a
Charset: noconv

iQCVAwUBMXVGMFIa2NdXHZJZAQFe4AQAz0FZrHdH8o+zkIvcI/4ABg4gfE7cG0xE
Z2J9GVWD2zi4tG+s1+IWEY6Ae17kx925JKrzF4Ti2upAwTN2Pnb/x0G8WJQVKQzP
mZcD+XNnAaYCqFz8iIuAFVLchYeWj1Pqxxq0weGCtjQIrpzrmGxV7xXzK0jus+6V
rML3TxQSwdA=
=T9Mc
----END PGP SIGNATURE----

</PRE>
<!-- END CODE //-->
<A NAME="PAGENUM-420"><P>Page 420</P></A>

<H4>
G.1.3. Do All RPM Packages Have Digital Signatures?
</H4>

<P>Again, no. In a perfect world, every .rpm file would be signed. However, RPM has no
formal requirement that this be the case. There is also no requirement that you do anything
special with a signed .rpm file. Think of it as an extra feature that you can take advantage of, or
not&#151;it's strictly your choice.
</P>

<H4>
G.1.4. So Much to Cover, So Little Time
</H4>

<P>PGP has a wealth of features, 99% of which we will not cover in this book. For more
information on the basics of encryption, see Applied
Cryptography, by Bruce Schneier, which contains a wealth of information on the subject. For more details on PGP specifically, O'Reilly's
PGP: Pretty Good Privacy by Simson Garfinkel is an
excellent reference.
</P>

<P>If you'd rather surf the Net, use your favorite World Wide Web index to hunt for
crypto or PGP, and you'll be in business.
</P>

<H3>
G.2. Installing PGP for RPM's Use
</H3>

<P>To use RPM's PGP-related capabilities, you'll need to have PGP installed on your system.
If it's installed already, you should be able to flip to the chapters on verifying package
signatures and signing packages and be in business in a matter of minutes. Otherwise, read on for a
thumbnail sketch of what's required to install PGP.
</P>

<H4>