I generated
gpg --gen-key
and downloaded repo to create a local repository. I am trying to
rpm --addsign <path to rpm file>
Example:
rpm --addsign foo.rpm
foo.rpm:
error: Could not exec gpg: No such file or directory
when I checked:
# rpm --checksig foo.rpm
foo.rpm: digests SIGNATURES NOT OK
I am pretty sure that I have followed the procedure correctly, but not sure why is it showing this.
Can anyone suggest?
Regards,
Tayto
Something on your machine is non-standard.
You can put in your ~/.rpmmacros file:
%_signature gpg
%_gpg_path /home/foo/.gnupg
%_gpg_name Your Company
%_gpgbin /usr/bin/gpg2
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}'
You probably need only one of those lines. I would bet on %_gpg_path, but it can be any other, which needs to be altered.
And do not forget to:
rpm --import your.public.gpg
Otherwise --checksig will not work.
Related
I am new to linux and I am trying to do the following:
I have a folder, that I want first to compress in a tar then to encrypt it with gpg and all of this is while running a command (no interactive GUI with the machine). All I find now in the internet are GUIs that show up and ass you to type the password
tar -cvf archive.tar <directory>
gpg -c archive.tar <target-directory>
I keep reading the options of the gpg command but i don't understand how to find the equivalent of 7za :
7za a -p <my-password>
this is what I want only to insert the password as part of the command.
Do you have any pointers?
thank you
I am trying to disable having any password when I sign , or at least to send it with the signing command.
gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/B40C2563 2017-04-11 [expires: 2022-04-10]
uid XXXXX <office#XXXX>
sub 2048R/42A9A452 2017-04-11 [expires: 2022-04-10]
I have gpg (GnuPG) 2.0.27 and libgcrypt 1.5.4
cat ~/.rpmmacros
%_signature gpg
%_gpg_path /root/.gnupg
%_gpg_name xxxxxxx
%_gpgbin /usr/bin/gpg2
%_no-protection
When I run ( rpm --addsign xxxxxxxxxx.rpm ) I am having popup for password
I found a solution with keygrip that is not working for me
gpg2 --with-keygrip
gpg: invalid option "--with-keygrip"
These are rpm options:
rpm --
--addsign --delsign --eval --help --initdb --query --rebuilddb --setugids --upgrade --version
--checksig --erase --freshen --import --install --querytags --setperms --showrc --verify
I was able to resolve it by adding --passphrase-file /path/to/passphrase-file under %__gpg_sign_cmd macro in .rpmmacros(or whatever you have) file.
Below is %__gpg_sign_cmd macro after modification:
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --no-verbose --no-armor --passphrase-file /path/passphrase_file --no-secmem-warning -u %{_gpg_name} -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}'
It is no possible. But many people use for unattended signing OBS-signd:
https://github.com/openSUSE/obs-sign
https://en.opensuse.org/openSUSE:Build_Service_Signer
When decrypting I get following error:
$ eyaml decrypt -s 'ENC and the key goes on here'
.gnupg --quiet --no-secmem-warning --no-permission-warning --no-tty --yes --decrypt)
failed with: gpg: Sorry, no terminal at all requested - can't get input
I have checked my keys, everything is in order. At this point I am out of options.
If you configured Automatic Git commit signing with GPG on macOS and you see this error comment out no-tty in ~/.gnupg/gpg.conf as suggested by Fahl-Design.
This will also allow you to generate new GPG keys following the GitHub instructions for new keys.
You need to remove the option --no-tty
--no-tty
Make sure that the TTY (terminal) is never used for any output. This option is needed in some cases because GnuPG sometimes
prints warnings to the TTY even if --batch is used.
For those who are encountering this error from scripts that are running with no TTY available, adding --batch to the GPG command line, or batch to a line in ~/.gnupg/gpg.conf can make the problem go away.
I had to update my git email so that it matched the email on my gpg key and the primary email on my Github.
$ git config --global user.email "myemailaddress#gmail.com"
I'm using the CentOS_6.5_Final minimum install ISO. I would like to add kernel-devel to the Packages directory and rebuild the ISO for install.
First I loop mounted the source ISO and copied the data to a directory, added kernel-devel from the full DVD ISO using the same loop mount method.
Then I created the repodata from the /mnt/CentOS-6.5-x86_64-minimal directory.
createrepo -p /mnt/CentOS-6.5-x86_64-minimal/Packages/
The repodata is then place in /mnt/CentOS-6.5-x86_64-minimal/Packages/repodata, so I moved it to /mnt/CentOS-6.5-x86_64-minimal/repodata and replaced the original /mnt/CentOS-6.5-x86_64-minimal/repodata with the new.
I then rebuilt the ISO.
genisoimage -o /tmp/CentOS-6.5-x86_64-minimal.iso -b isolinux/isolinux.bin -c isolinux/boot.cat -V OSSA_01 -no-emul-boot -boot-load-size 4 -boot-info-table -R -J -v -T /mnt/CentOS-6.5-x86_64-minimal/
Have I missed a step?
I'm not really looking to use the ks file right now. How do I make sure the image checksum is still valid? Is this what the GPG files in the ISO root are for?
Got it, I was missing two hidden files..
.discinfo and .treeinfo
How can I grab the root SSL certficate, together with any intermediates, to a file from a given url? Ideally through some linux shell compatible commandline, but manually will do if I have to. Update: Interactively, using Chrome, if I examine a certificate I can optionally export it. And there's a way to grab the entire chain, if applicable. So now I'm only looking for a scriptable method.
Background:
mono nuget.exe install ./packages.config -o ./packages
will install project packages on ubuntu, as long as the required certificates are installined in the machine's Trust store. In part, it's done like this:
$ certmgr -ssl https://nugetgallery.blob.core.windows.net
This command, with the -ssl option, grabs the certificate and any intermediates from the specified url, and requires user confirmation. I'm trying to automate server builds, so I'd like to get the certificates added without requiring user confirmation.
I've tried piping the response into the command - i.e.:
$ echo "Yes" | certmgr -ssl https://nugetgallery.blob.core.windows.net
That doesn't work. I've tried to export the certficates to a file, so I can add them to my build project, but mono certmgr hasn't implemented 'put' yet.
Assuming openssl is installed, this commandline:
echo | openssl s_client \
-showcerts \
-connect nugetgallery.blob.core.windows.net:443 2>&1 |
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem
produces a file that contains all three certificates involved in this chain.
Thanks to this answer to this question: Using openssl to get the certificate from a server for the solution to get the chain. The following commands will get the saved certificates loaded into the Trust store.
openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b
certmgr -add -c -m Trust ./cert.p7b