3

I'm new to SSL certificates and RPM build. I have purchased SSL certificate. I'm interested can I sign RPM package and DEB package with this certificate or this is not possible?

Peter Penzov
  • 1,126
  • 134
  • 430
  • 808

2 Answers2

5

Just to followup on what Etan Reisner said: you cannot sign deb packages with SSL certificates. Both deb and RPM packages are signed using GPG keys, although signature verification of packages is disabled by default on Ubuntu/Debian.

You can, however, sign the YUM package repository itself (if you decide to generate a repository) and similarly you can sign the APT package repository itself, as well. However, when you do so, you must use GPG keys for this, as well.

Ubuntu and Debian will verify the signature of the APT repository -- so you should consider signing the repository if you can.

I wrote a blog post about signing and verifying RPM packages and YUM repositories with GPG and a separate post about signing and verifying deb packages and APT repositories with GPG. These blog posts contain everything you need to know as far as GPG signing packages goes and they explain step-by-step what you need to do to get it all setup and working.

Joe Damato
  • 1,558
  • 14
  • 15
  • I believe verifying the repo metadata for yum, as opposed to package signatures, is disabled by default at least up through RedHat/CentOS 6 and presumably the related Fedora release. I don't know beyond that though a quick look makes it look like it is disabled in RedHat/CentOS 7 as well. You might also want to make it clear (in the answer) that GPG is used for repository signing too. This could be read to mean that you can use SSL certificates for that as written. – Etan Reisner Sep 24 '15 at 12:56
  • Both are disabled by default, and signature verification of packages from CentOS 5 is terribly buggy. I updated my answer to make it clear that to sign repository metadata, you must use GPG keys. – Joe Damato Sep 26 '15 at 03:39
  • The pygpgme mess on CentOS 5 is certainly a problem but other than that I don't know that it is buggy in any real way (there are issues with sub-keys but that's not a CentOS 5 issue). The fact that repository metadata signing is verified with an entirely different keyring/set of keys than the package metadata is verified with is a horrible annoyance though. – Etan Reisner Sep 27 '15 at 02:07
  • Signing packages is indeed buggy on CentOS5, pygpgme aside. Packages that are signed without: (1) a custom .rpmmacros file specifying gpg v3 signatures, and without a (2) 2048 bit RSA key with (3) no subkeys, will fail to verify immediately after signing. It is a mess. – Joe Damato Sep 28 '15 at 02:59
  • You don't need to specify v3 signatures when signing *on* CentOS 5. You do when signing on CentOS 6 if you are signing *for* CentOS 5 though. (And that's not a signature being broken issue.) No, other sized keys work just fine (I tested them and can provide the framework if you want, also vmware signs/signed packages with a 1024 bit RSA key and they verify correctly). Yes, subkeys do not work and are, as far as I'm aware, never going though I believe they are less horrifically broken in CentOS 6 and later. – Etan Reisner Sep 30 '15 at 12:34
1

I don't know about .deb packages (though I suspect it is similar) but no you cannot sign an RPM package with an SSL certificate (and your certificate may not be valid for signing software/etc. anyway you would have to check).

RPM signatures are GPG/PGP based.

Etan Reisner
  • 77,877
  • 8
  • 106
  • 148