Small knowledge, big challenge! This article is participating in the creation activity of “Essential Tips for Programmers”.

RPM provides a software package detection mechanism to check whether the file is complete (for example, whether the file is deleted by mistake or the data in the file is modified) and whether the file content is maliciously tampered.

RPM provides two detection methods:

RPM package verification: Compares the installed files with the database contents in the /var/lib/rpm directory to determine whether file contents are modified, deleted, or data is lost.
RPM package digital certificate verification: Used to check whether the RPM package is modified.

The RPM package check

Packet validation command

RPM package verification can be used to determine whether installed packages (or files) have been modified.

The common commands for packet verification are as follows.

RPM -va: verifies all installed software packages in the system.
RPM -v Verifies files in a specified installed package.
RPM -vf

Verifies whether a file is modified.
RPM -vp Verifies the specified RPM package.

-V|--verifyIndicates the verification or verification of files in the RPM package.

Package validation example

For example, to check whether all installation files in the mysql package are tampered with:

The package corresponding to mysql is named mysql-community-server. Mysqld is the service name and cannot be used for authentication

# rpm -V mysqld
package mysqld is not installed
# rpm -V mysql-community-server
#
Copy the code

If no message is displayed after the mysql-community-server software package is executed, the files installed by the mysql-community-server software package are the same as those installed by the original software package.

If you modify the my.cnf configuration file and verify again, the modified file will be displayed:

# rpm -V mysql-community-serverS.5.... T. c /etc/my.cnf#
Copy the code

This is the same as directly verifying whether the /etc/my.cnf file has been tampered with.

# rpm -Vf /etc/my.cnfS.5.... T. c /etc/my.cnfCopy the code

Description of packet validation information

The package verification display file modification information can be divided into three parts:

The first eight characters (S.5.... T) are validation messages, i.e., changing factors. The meanings of each character are as follows:

S: Whether the file size is changed. — (File Size) specifies the Size of the file
M: Whether the file type or file permissions (RWX) are changed. — (Mode int) the type or property of the file, as well as executable parameters
5: Indicates whether the MD5 checksum of the file is changed, that is, whether the file content is changed. — (MD5 Sum pegasus) MD5 – this encrypted hack-proof property
D: Whether the primary and secondary codes of the device are changed. — (Device Major/Minor number mis-match) Name of the Device
L: Whether the file path is changed. — (readLink (2) path mis-match) Link attribute
U: Whether the owner of the file has changed. — (User Ownership) proprietor of the file
G: Whether the file owner group is changed. — (Group Ownership) Specifies the user Group to which the file belongs
T: Indicates whether the file modification time is changed. — (mTime int) file creation time
P: “caPabilities
. : If the related items are not changed, it is represented by..

If all information in a file is changed, the display will be:

SM5DLUGT c filename
Copy the code

The file type, which is C in the example. The file types are as follows:

C: Config file/configuration file
D: Documentation/ordinary files, documentation
G: A ghost file, usually a file that is not included in a piece of software, rarely, a ghost file
L: Authorization file, license file
R: Readme/description file, read me

The absolute path of the modified file (including the file name).

S.5…. The size, content, and modification time of the /etc/my. CNF configuration file have been modified.

It is normal to make changes to configuration files in general. That is, not all changes to files are malicious. But be careful if you are prompted to make changes to the binary.

RPM Digital Certificate Verification (digital signature)

RPM package verification can verify the files installed by an RPM package, but we need to verify whether the RPM package itself has problems before installation, that is, the verification of the.rpm package, which requires PRM digital certificate verification, that is, digital signature verification.

The essence of RPM package verification is to compare the existing installation file with the initial installation file using the RPM package. If there is any change, the system prompts users to verify whether the installed file is modified. Therefore, this method cannot verify whether the RPM package itself is modified.

RPM can use digital signatures to determine if there are problems with the software to be installed. A digital certificate, also called a digital signature, is encrypted and signed by a software developer when the software is released. If the SOFTWARE developer’s public key (digital certificate) is installed on Linux, the public key can be used for signature verification during installation. If the RPM package is modified or tampered with, the digital signature verification fails and a message is displayed indicating that software cannot be installed.

The gPG-encrypted public key is most commonly used under Linux. If you want to install a soft Arkin, you need to install the publisher’s GPG public key on your own system first. During software installation, it verifies the digital signature (private key signature, public key signature) of the software. If the verification passes, the software can be installed directly. If no, a message is displayed.

The method of using a digital certificate to verify RPM packages has the following two characteristics:

You must find the original public key file before you can install it. Verify the public key (digital certificate) is correct
After the RPM package is installed, the signature information in the RPM package is extracted and verified with the original digital certificate installed on the local computer. If the verification is successful, the installation is allowed. If the verification fails, the installation is disallowed and a warning is issued.

Viewing installed digital certificates (Public key package)

To view the installed GPG number, run the following command:

# rpm -qa|grep gpg-pubkey
gpg-pubkey-bexxxxcf-56xxxx8c
gpg-pubkey-35xxxxe5-52xxxx84
gpg-pubkey-1bxxxxdb-51xxxxa9
gpg-pubkey-7fxxxx91-46xxxx7f
gpg-pubkey-f4xxxxb5-53xxxx4b
gpg-pubkey-d3xxxx96-57xxxxd3
gpg-pubkey-50xxxxf5-5cxxxxfb
Copy the code

Import a digital certificate (public key) – Installs the digital certificate

After Centos is installed, the official digital certificate is stored in /etc/pki/rpm-gpg/RPM -gpg-key-centos-7 (centos-6 and centos-8 may be different versions) by default.

In this directory, you can also see other certificate files as follows:

# ls -al /etc/pki/rpm-gpg/
total 56
drwxr-xr-x.  2 root root  4096 Oct  7 16:38 .
drwxr-xr-x. 12 root root  4096 Apr 11  2018 ..
-rw-r--r--   1 root root  1690 Nov 23  2020 RPM-GPG-KEY-CentOS-7
-rw-r--r--   1 root root  1004 Nov 23  2020 RPM-GPG-KEY-CentOS-Debug-7
-rw-r--r--   1 root root  1690 Nov 23  2020 RPM-GPG-KEY-CentOS-Testing-7
-rw-r--r--   1 root root  1662 Sep  5 01:37 RPM-GPG-KEY-EPEL-7
-rw-r--r--   1 root root   983 Nov 15  2016 RPM-GPG-KEY-microsoft-prod
-rw-r--r--   1 root root 27824 Apr 25  2019 RPM-GPG-KEY-mysql
Copy the code

Import certificates: RPM –import is the command to import certificates. Such as:

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Copy the code

/etc/pki/rpm-gpg/RPM -gpg-key-centos-7 The certificate has been installed by default. We test installing another certificate, and then find the certificate before and after by comparison:

RPM --import /etc/pki/rpm-gpg/RPM -gpg-key-centos-testing -7
# # RPM - qa | grep GPG - pubkey search the certificate installation
gpg-pubkey-bexxxxcf-56xxxx8c
gpg-pubkey-8fxxxxbd-53xxxx51    # Newly installed certificate
gpg-pubkey-35xxxxe5-52xxxx84
gpg-pubkey-1bxxxxdb-51xxxxa9
gpg-pubkey-7fxxxx91-46xxxx7f
gpg-pubkey-f4xxxxb5-53xxxx4b
gpg-pubkey-d3xxxx96-57xxxxd3
gpg-pubkey-50xxxxf5-5cxxxxfb
Copy the code

You can see that the new digital certificate has been installed. When installing the RPM package, if you need to verify the signature of the package, you can use the corresponding certificate to check the signature. If the package passes the verification, the installation is successful.

Other certificate files can also be found using the location command:

# locate GPG-KEY
/etc/pki/fwupd/GPG-KEY-Hughski-Limited
/etc/pki/fwupd/GPG-KEY-Linux-Foundation-Firmware
/etc/pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service
/etc/pki/fwupd-metadata/GPG-KEY-Linux-Foundation-Metadata
/etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service
/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Debug-7
/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Testing-7
/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
/etc/pki/rpm-gpg/RPM-GPG-KEY-microsoft-prod
/etc/pki/rpm-gpg/RPM-GPG-KEY-mysql
Copy the code

Verifying software Packages

You can run the following command to verify the digital certificate of the software package.

rpm {-K|--checksig} PACKAGE_FILE
Copy the code

Such as:

Mysql - community - # RPM - K server - 8.0.26-1. El7. X86_64. RPMRPM: (sha1) dsa sha1 MD5 GPG OKCopy the code

Digital Certificate Package

As you can see, the management of digital certificates is also in the form of RPM packages.

You can run the RPM command to query the package details of the digital certificate:

# rpm -qi gpg-pubkey-8fae34bd-538f1e51Name : gpg-pubkey Version : 8fae34bd Release : 538f1e51 Architecture: (none) Install Date: Thu 14 Oct 2021 04:13:24 PM CST Group : Public Keys Size : 0 License : pubkey Signature : (none) Source RPM : (none) Build Date : Wed 04 Jun 2014 09:25:37 PM CST Build Host : localhost Relocations : (not relocatable) Packager : CentOS-7 Testing (CentOS 7 Testing content) <[email protected]> Summary : gpg(CentOS-7 Testing (CentOS 7 Testing content) <[email protected]>) Description : -- -- -- -- -- BEGIN PGP PUBLIC KEY BLOCK -- -- -- -- -- Version: RPM - 4.11.3 (NSS - 3)... -----END PGP PUBLIC KEY BLOCK-----Copy the code

Uninstalling the digital certificate package:

rpm -e gpg-pubkey-8fae34bd-538f1e51
Copy the code

reference

For details, see Linux RPM package verification and digital certificates (digital signatures) and RPM introduction and basic usage.

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

What you should know about RPM package validation and digital certificates (digital signatures)

The RPM package check

Packet validation command

Package validation example

Description of packet validation information

RPM Digital Certificate Verification (digital signature)

Viewing installed digital certificates (Public key package)

Import a digital certificate (public key) – Installs the digital certificate

Verifying software Packages

Digital Certificate Package

reference

What you should know about RPM package validation and digital certificates (digital signatures)

The RPM package check

Packet validation command

Package validation example

Description of packet validation information

RPM Digital Certificate Verification (digital signature)

Viewing installed digital certificates (Public key package)

Import a digital certificate (public key) – Installs the digital certificate

Verifying software Packages

Digital Certificate Package

reference

Related Posts

Java heap, stack, in the constant pool concepts such as parsing | Java Debug notes

Java BIO, NIO

Introduction and Use of OpenFeign