ubuntu 创建本地deb软件包时，对Release文件做gpg签名

Ubuntu 16.04 (xenial) 在将本地deb软件包创建repo时候，跟14.04以前的版本相比，强制要求gpg对Release文件签名，否则无法使用：

Reading package lists... Done
W: The repository 'http://10.245.254.93/linux/ubuntu/updates/xenial ./ Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

这时候， gpg 软件登场了。

1.1 GPG 创建的密匙，可供加密文件及签名文件使用， 也可创建专供签名文件使用的密匙。
密钥创建过程中，需要使用到足够的随机数(random)，可先行安装rng-tools, 该工具可以常驻后台的方式, 生成随机数，避免gpg密钥创建过程中的长时间等待问题

# apt-get install rng-tools# rngd -r /dev/urandom

# gpg --gen-keygpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.Please select what kind of key you want:   (1) RSA and RSA (default)   (2) DSA and Elgamal   (3) DSA (sign only)   (4) RSA (sign only)Your selection? 4RSA keys may be between 1024 and 4096 bits long.What keysize do you want? (2048) 2048Requested keysize is 2048 bitsPlease specify how long the key should be valid.         0 = key does not expire      <n>  = key expires in n days      <n>w = key expires in n weeks      <n>m = key expires in n months      <n>y = key expires in n yearsKey is valid for? (0)Key does not expire at allIs this correct? (y/N) yYou need a user ID to identify your key; the software constructs the user IDfrom the Real Name, Comment and Email Address in this form:    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"Real name: Ubuntu Local Archive Automatic Signing KeyEmail address: mac@ispc.cnComment: 2017You selected this USER-ID:    "Ubuntu Local Archive Automatic Signing Key (2017) <mac@ispc.cn>"Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? oYou need a Passphrase to protect your secret key.gpg: gpg-agent is not available in this sessionWe need to generate a lot of random bytes. It is a good idea to performsome other action (type on the keyboard, move the mouse, utilize thedisks) during the prime generation; this gives the random numbergenerator a better chance to gain enough entropy.......++++++++++gpg: key 7A1E912A marked as ultimately trustedpublic and secret key created and signed.gpg: checking the trustdbgpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust modelgpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2upub   4096R/7A1E912A 2017-03-15      Key fingerprint = A11A 69B7 15AB B83A C6AC  4282 02FE 7153 F5A2 4A14uid                  Ubuntu Local Archive Automatic Signing Key (2017) <mac@ispc.cn

 

1.2 导出gpg公钥和私钥，并放到可下载的地方，比如某个web
私钥，供Server端，对release文件签名使用
公钥，需在Ubuntu client 导入，供apt-get使用

# gpg --list-key# gpg -k/root/.gnupg/pubring.gpg------------------------pub   4096R/7A1E912A 2017-03-02 [expires: 2022-03-01]uid                  Ubuntu Local Archive Automatic Signing Key (2017) <mac@ispc.cn># gpg -a --export 7A1E912A > Ubuntu_Local_Archive_Automatic_Signing_Key_2017.pub# gpg -a --export-secret-keys 7A1E912A > Ubuntu_Local_Archive_Automatic_Signing_Key_2017.sec

 

2. 创建Package file

# rm -f Packages.gz Packages# apt-ftparchive packages . | gzip -9c > Packages.gz# gunzip -k Packages.gz

使用下面这种internet上常见的方式，必须先安装dpkg-dev软件包， 与使用apt-ftparchive 方式，可一样达到目的，但apt-ftparchive是系统默认已经安装的软件包，不需要再安装，个人认为有优势
(但不能检查并提示同名软件包的不同版本。解决办法是，提前在deb软件包尚在目录内/var/cache/apt/archives的时候，使用apt-get autoclean命令，清除老版本软件包)
# dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz

3. 创建release file

# apt-ftparchive release ./ > Release

# gpg -abs --default-key 7A1E912A -o Release.gpg Release# gpg --clearsign --default-key 7A1E912A -o InRelease Release

4. 对release file签名

# gpg -abs --default-key 7A1E912A -o Release.gpg Release# gpg --clearsign --default-key 7A1E912A -o InRelease Release

 

5. 修改ubuntu client sources.list

# echo "deb [arch=amd64] http://10.245.254.93/linux/ubuntu/updates/xenial ./" >> /etc/apt/sources.list

6. 下载并导入给release file 签名的公钥

#wget http://10.245.254.93/linux/ubuntu/updates/gpg/Ubuntu_Local_Archive_Automatic_Signing_Key_2017.pub# apt-key add Ubuntu_Local_Archive_Automatic_Signing_Key_2017.pub

7. 可以使用了
# apt-get udpate

 

【重要】
GPG在给文件签名时候，默认使用SHA1算法，导致在后续使用过程中，出现下述告警：
    Release.gpg: Signature by key ADAF3EDBBB0035413FD4FEDBB3E7CC5C7A1E912A uses weak digest algorithm (SHA1)

解决办法：
http://apache.org/dev/openpgp.html
https://keyring.debian.org/creating-key.html
这2个比较权威的网站上的冗长的解释，那是因为人家要做全面解释介绍，步骤当然多点。
文章中提到的参数default-preference-list（默认偏好清单），并定义：SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed. 个人认为， 这里定义的是可使用的加密算法清单，而不是算法顺序, 谁在前谁在后，无关大雅。可在这里定义，或者直接使用默认值，所以压根不用关心这个步骤。

 

最后,只需要下面简单步骤:

在给Releases文件签名前，修改~/.gnupg/gpg.conf, 定义参数personal-digest-preferences(the digest used for signing messages)为SHA256。
另SHA224,SHA256,SHA384,SHA512几个选项，可根据需求随意选择，只要不用SHA1就好，要不你就又绕回去了:(

# echo "personal-digest-preferences SHA256" >> ~/.gnupg/gpg.conf# gpg -abs --default-key 7A1E912A -o Release.gpg Release

also can use gpg command option, example:# gpg -abs --default-key 7A1E912A --personal-digest-preferences SHA256 -o Release.gpg Release

 

-----------------------------
8. 脚本方式使用

8.1 Server site

wget http://10.245.254.93/linux/ubuntu/updates/gpg/Ubuntu_Local_Archive_Automatic_Signing_Key_2017.secgpg --import Ubuntu_Local_Archive_Automatic_Signing_Key_2017.sececho "personal-digest-preferences SHA256" >> ~/.gnupg/gpg.confmkdir /opt/xenialcp -rp /var/cache/apt/archives /opt/xenialcd /opt/xenialrm -rf Packages.gz Packages archives/lock archives/partialapt-ftparchive packages . | gzip -9c > Packages.gzgunzip -k Packages.gzapt-ftparchive release ./ > Releasegpg -abs --default-key 7A1E912A --passphrase YourPasswd -o Release.gpg Releasegpg --clearsign --default-key 7A1E912A --passphrase YourPasswd -o InRelease Releaseecho "deb [arch=amd64] file:///opt/xenial ./" >> /etc/apt/sources.listapt-get update

8.2 Client site

echo "deb [arch=amd64] http://10.245.254.93/linux/ubuntu/updates/xenial ./" >> /etc/apt/sources.listwget http://10.245.254.93/linux/ubuntu/updates/gpg/Ubuntu_Local_Archive_Automatic_Signing_Key_2017.pubapt-key add Ubuntu_Local_Archive_Automatic_Signing_Key_2017.pubapt-get update

 

补充：ubuntu apt-get 对软件包索引，首先要求InRelease文件，其次才去找Release、Release.gpg文件； 这情况下， 其实只需要创建InRelease文件(包含Release文件和明文签名)即可:

 # gpg --clearsign --default-key 7A1E912A --passphrase YourPasswd -o InRelease Release

 

转载地址：

https://my.oschina.net/u/3362827/blog/860711