Digital Signatures For Rhn Packages; Generating A Gnupg Keypair - Red Hat NETWORK 3.6 - CHANNEL MANAGEMENTT GUIDE Manual

Chapter 3. Building Custom Packages
13. It may be tempting to create an RPM by archiving files and then unarchiving them in the post-
install script, but do not do it. This defeats the purpose of RPM. If the files in the archive are not
included in the file list, they cannot be verified or examined for conflicts. In the vast majority
of cases, RPM itself can pack and unpack archives most effectively anyway. For instance, don't
create files in a %post that you don't clean up in a %postun section.

3.2. Digital Signatures for RHN Packages

All RPM packages distributed through RHN should have a digital signature. A digital signature is
created with a unique private key and can be verified with the corresponding public key. After creating
a package, the SRPM (Source RPM) and the RPM can be digitally signed with a GnuPG key. Before
the package is installed, the public key can be used to verify the package was signed by a trusted party
and the package has not changed since it was signed.

3.2.1. Generating a GnuPG Keypair

A GnuPG keypair consists of the private and public keys. To generate a keypair, as root at a shell
prompt, type the following command:
gpg --gen-key
If you execute this command as a non-root user, you will see the following message:
gpg: Warning: using insecure memory!
This message appears because non-root users cannot lock memory pages. If such users could lock
memory pages, they could perform out-of-memory denial of service attacks. Since you do not want
anyone else to have your private GnuPG key or your passphrase, you should generate the keypair as
root. The root user can lock memory pages, which means the information is never written to disk.
After executing the command to generate a keypair, you will see an introductory screen containing
key options similar to the following:
gpg (GnuPG) 1.0.7; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
(5) RSA (sign only)
Your selection?
Accept the default option:
signature and encrypt (and decrypt) with two types of technologies. Type 1 and then press [Enter].
Next, choose the key size or how long the key should be. The longer the key, the more resistant against
attacks your messages will be. Thus, creating a key of at least 1024 bits in size is recommended.
The next option asks you to specify how long you want your key to be valid. If you do choose an
expiration date, remember that anyone with whom you exchanged your public key will also have to
be informed of its expiration and supplied with a new public key. It is recommended that you select no
expiration date. If you do not choose an expiration date, you will be asked to confirm your decision:
Key does not expire at all
(1) DSA and ElGamal
. This option will allow you to create a digital
7