怎么对一个RPM文件进行重新签名

通常我们都会对RPM进行签名来保证文件传输过程不被串改，终端根据校验文件签名来保证文件端到端的一致性。很多时候从互联网上下载的RPM文件已经被打上了签名，而我们自己内部使用时希望使用自己的签名来进行传输，这时就涉及到对一个已经签名过的RPM文件进行再签名。
首先，我们需要准备新签名会用到的新的GPG密钥对，在server上使用gpg --gen-key生成密钥对，根据提示输入信息即可

root@ubuntu:~# gpg --gen-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: Tony Chen
Email address: codercx@foxmail.com
You selected this USER-ID:
    "Tony Chen <codercx@foxmail.com>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key E8F08F8A0991F23B marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/DFEC9EEBE6559CEBF3B1B274E8F08F8A0991F23B.rev'
public and secret key created and signed.

pub   rsa3072 2022-01-17 [SC] [expires: 2024-01-17]
      DFEC9EEBE6559CEBF3B1B274E8F08F8A0991F23B
uid                      Tony Chen <codercx@foxmail.com>
sub   rsa3072 2022-01-17 [E] [expires: 2024-01-17]

具体生成的步骤就不赘述了，网上有更具体的教程，当生成好之后，我们可以查看下我们刚刚生成的GPG key，默认情况下密钥信息是存在/root/.gnupg目录下的

root@ubuntu:~# gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub   rsa3072 2022-01-17 [SC] [expires: 2024-01-17]
      DFEC9EEBE6559CEBF3B1B274E8F08F8A0991F23B
uid           [ultimate] Tony Chen <codercx@foxmail.com>
sub   rsa3072 2022-01-17 [E] [expires: 2024-01-17]

接下来我们需要导出我们的密钥对（公钥和私钥）

root@ubuntu:~# gpg --export-secret-key Tony Chen > key.asc

假设我们需要在另外一台server测试签名，将上一步导出的密钥文件复制到另一台要测试新签名的server上

# 导入密钥对
[root@centos ~]# gpg --import key.asc 
gpg: key 0991F23B: secret key imported
gpg: key 0991F23B: public key "Tony Chen <codercx@foxmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

# 列出当前所有公钥
[root@centos ~]# gpg -K
/root/.gnupg/secring.gpg
------------------------
sec   3072R/0991F23B 2022-01-17 [expires: 2024-01-17]
uid                  Tony Chen <codercx@foxmail.com>
ssb   3072R/61F40CE2 2022-01-17

# 列出当前所有私钥
[root@centos ~]# gpg --list-secret-keys
/root/.gnupg/secring.gpg
------------------------
sec   3072R/0991F23B 2022-01-17 [expires: 2024-01-17]
uid                  Tony Chen <codercx@foxmail.com>
ssb   3072R/61F40CE2 2022-01-17

现在导入公钥到RPM database

[root@centos ~]# gpg --export -a 'Tony Chen' > rpm_usage_pub
[root@centos ~]# rpm --import rpm_usage_pub
[root@centos ~]# rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-230c0099-56e7cb1e --> gpg(RPM Builder <rpmbuilder@foxmail.com>)
...
gpg-pubkey-0991f23b-61e57ed3 --> gpg(Tony Chen <codercx@foxmail.com>)

接下来就可以测试签名了

# 未重新签名前，这个RPM是已经存在签名的
[root@centos ~]# rpm -Kv nmap-ncat-6.40-4.el7.x86_64.rpm 
nmap-ncat-6.40-4.el7.x86_64.rpm:
    Header V4 RSA/SHA1 Signature, key ID 230c0099: OK
    Header SHA1 digest: OK (2125f08c8e6dd7eeb21c7fa0bdf4d8155584cf7d)
    V4 RSA/SHA1 Signature, key ID 230c0099: OK
    MD5 digest: OK (745e0cb170c3d1fa76669c0ebdc0be33)

# 进行重新签名，会覆盖已有的签名，过程中需要输入生成GPG密钥对时输入的密码
[root@centos ~]# rpm --define '_gpg_name Tony Chen' --define '_gpg_path /root/.gnupg' --addsign nmap-ncat-6.40-4.el7.x86_64.rpm 
Enter pass phrase: 
Pass phrase is good.
nmap-ncat-6.40-4.el7.x86_64.rpm:

# 签名完毕，重新校验RPM签名时发现已经是使用我们新的Key ID进行的签名了
[root@centos ~]# rpm -Kv nmap-ncat-6.40-4.el7.x86_64.rpm 
nmap-ncat-6.40-4.el7.x86_64.rpm:
    Header V4 RSA/SHA1 Signature, key ID 0991f23b: OK
    Header SHA1 digest: OK (2125f08c8e6dd7eeb21c7fa0bdf4d8155584cf7d)
    V4 RSA/SHA1 Signature, key ID 0991f23b: OK
    MD5 digest: OK (745e0cb170c3d1fa76669c0ebdc0be33)

删除GPG公钥和私钥的指令,需要先删除私钥才可以删除公钥

删除公钥（从您的公钥环中删除）：

$ gpg --delete-key "User Name"

删除私钥（私钥环上的密钥）：

$ gpg --delete-secret-key "User Name"

参考

https://access.redhat.com/articles/3359321
https://qastack.cn/unix/481939/how-to-export-a-gpg-private-key-and-public-key-to-a-file
https://qastack.cn/superuser/594116/clean-up-my-gnupg-keyring
https://bbs.huaweicloud.com/blogs/290331