head     1.1;
branch   1.1.1;
access   ;
symbols  MAXIMUM_RPM_1_0:1.1.1.1 VENDOR:1.1.1;
locks    ; strict;
comment  @# @;


1.1
date     2001.08.28.12.07.09;  author rse;  state Exp;
branches 1.1.1.1;
next     ;

1.1.1.1
date     2001.08.28.12.07.09;  author rse;  state Exp;
branches ;
next     ;


desc
@@



1.1
log
@Initial revision
@
text
@<appendix id="ch-pgp-intro">
  <title>An Introduction to PGP</title>
  <!-- label: pgp-intro -->

  <indexterm>
    <primary>PGP</primary>
    <secondary>introduction to</secondary>
  </indexterm>

  <para>
    Assuming you're not the curious type and haven't flipped your way back
    here, you are probably here looking for some information on the program
    known as Pretty Good Privacy, or PGP.
  </para>

  <sect1 id="s1-pgp-intro-pgp-overview">
    <title>PGP &mdash; Privacy for Regular People</title>
    <indexterm>
      <primary>PGP</primary>
      <secondary>overview of</secondary>
    </indexterm>

    <para>
      PGP, or "Pretty Good Privacy", is a program that is intended to help
      make electronic mail more secure.  It does this by using sophisticated
      techniques known as <firstterm>public key encryption</firstterm>.
    </para>
    <para>
      If you find yourself wondering what electronic mail and making
      information unreadable by spies has to do with RPM, you have a good
      point.  However, although PGP's claim to fame is the handling of e-mail
      in total privacy, it has some other tricks up its sleeve.
    </para>

    <sect2 id="s2-pgp-intro-pgp-keys">
      <title>Keys your Locksmith Wouldn't Understand</title>

      <para>
        As we mentioned above, PGP uses public key encryption to do some of its
        magic.  You might guess from the name that this type of encryption
        involves keys of some sort.  But, as you might imagine, these are not
        keys that you can copy down at the local hardware store.  They are
        numbers &mdash; really <emphasis>large</emphasis> numbers. Here's what a
        key might look like
        <footnote>
          <para>
            When we say that keys are <emphasis>numbers</emphasis>, we aren't
            lying even though the example key doesn't look like a number.  It
            has been processed so that it can be concisely displayed using
            only printable characters.
          </para>
        </footnote>
        :

        <screen width="60">
<computeroutput>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAzEpXjUAAAEEAKG4/V9oUSiDc9wIge6Bmg6erDGCLzmFyioAho8kDIJSrcmi
F9qTdPq+fj726pgW1iSb0Y7syZn9Y2lgQm5HkPODfNi8eWyTFSxbr8ygosLRClTP
xqHVhtInGrfZNLoSpv1LdWOme0yOpOQJnghdOMzKXpgf5g84vaUg6PHLopv5AAUR
tCpSZWQgSGF0IFNvZnR3YXJlLCBJbmMuIDxyZWRoYXRAcmVkaGF0LmNvbT6JAFUD
BRAxc0xcKO2uixUx6ZEBAQOfAfsGwmueeH3WcjngsAoZyremvyV3Q8C1YmY1EZC9
SWkQxdRKe7n2PY/WiA82Mvc+op1XGTkmqByvxM9Ax/dXh+peiQCVAwUQMXL7xiIS
axFDcvLNAQH5PAP/TdAOyVcuDkXfOPjN/TIjqKRPRt7k6Fm/ameRvzSqB0fMVHEE
5iZKi55Ep1AkBJ3wX257hvduZ/9juKSJjQNuW/FxcHazPU+7yLZmf27xIq7E0ihW
8zz9JNFWSA9+8vlCMBYwdP1a+DzVdwjbJcnOu3/Z/aCY2lYi9U45PzmtU8iJAJUD
BRAxU9GUGXO+IyM0cSUBAbWfA/9+lVfqcpFYkJIV4HuV5niVv7LW4ywxW/SftqCM
lXDXdJdoDbrvLtVYIGWeGwJ6bES6CoQiQjiW7/WaC3BY9ZITQE4hWOPQADzOnZPQ
fdkIIxuIUAUnU/YarasqvxCs5v/TygfWUTPLPSP+MqGqJcDF2UHXCiNAHrItse9M
h7etkYkAdQMFEDEp61/Nq6IpInoskQEB538C+wSIaCNNDOGxlxS5E2tClXRwMYf0
ymuKXs/srvIUjOO7xuIH4K7qcSSdI4eUwuXy6w5tWWR3xZ/XiygcLtKMi2IZIq0j
wmFq7MEk+Xp8MN7Icawkqj1/1p0p4EwKKkIU64kAlQMFEDEp6pZEcVNogr/H7QEB
jp4D/iblfiCzVTA5QhGeWOj1rRxWzohMvnngn29IJgdnN3zuQXB1/lbVV3zYciRH
NyvpynfcTcgORHNpAIxXDaZ7sd48/v7hHLarcR5kxuY0T75XOTGOKTOlFvb4XmcY
HZR2wSWSBteKezB5uK47A6uhwtvPokV0Owk9xPmBV+LPXkW4
=pnqV
-----END PGP PUBLIC KEY BLOCK-----
</computeroutput>
        </screen>
      </para>
      <para>
        PGP uses two different types of keys: public and private.  The public
        key, as its name suggests, can be shared with anyone.  The key shown
        above is, in fact, a public key.  The private key, as
        <emphasis>its</emphasis> name suggests, should be kept a secret.  PGP
        creates keys in pairs &mdash; one private and one public.  A key pair
        must remain a pair; if one is lost, the other by itself is useless.
        Why?  Because the two keys have an interesting property that can be
        exploited in two ways:

        <itemizedlist mark="bullet">
          <listitem>
            <para>
              A message encrypted by a given <emphasis>public</emphasis> key
              can only be decrypted with the corresponding
              <emphasis>private</emphasis> key.
            </para>
          </listitem>

          <listitem>
            <para>
              A message encrypted by a given <emphasis>private</emphasis> key
              can only be decrypted with the corresponding
              <emphasis>public</emphasis> key.
            </para>
          </listitem>
        </itemizedlist>
      </para>
      <para>
        In the case of sending messages in total privacy, the key pairs are
        used in the first manner.  It allows two people to exchange private
        messages without first exchanging any "secret codes".  The only
        requirement is that each know the other's public key.
      </para>
      <para>
        However, for RPM, the <emphasis>second</emphasis> method is the
        important one.  Let's say a company needs to send you a document, and
        you'd like to make sure it really did come from them.  If the company
        first encrypted the file with their private key and sent it to you,
        you would have an encrypted file you couldn't read.
      </para>
      <para>
        Or could you?  If you have the company's <emphasis>public</emphasis>
        key, you should be able to decrypt it.  In fact, if you can't, you can
        be sure that the message you received did <emphasis>not</emphasis>
        come from them
        <footnote>
          <para>
            Or at least that it didn't make it to you unchanged.
          </para>
        </footnote>
        !
      </para>
      <para>
        It is this feature that is used by RPM.  By using PGP's public key
        encryption, it is possible to not only prove that a package file came
        from a certain person or persons, but also that it was not changed
        somewhere along the line.
      </para>
    </sect2>

    <sect2 id="s2-pgp-intro-rpm-packages-encrypted">
      <title>Are RPM Packages Encrypted?</title>
      <indexterm>
        <primary>PGP</primary>
        <secondary>RPM's use of</secondary>
      </indexterm>

      <para>
        In a word, no.  Rather than being encrypted, RPM package files possess
        a <firstterm>digital signature</firstterm>.  This is a way of using
        encryption to attach a signature (again, basically a large number) to
        some information, such that:

        <itemizedlist mark="bullet">
          <listitem>
            <para>
              The signature cannot be separated from the information.  Any
              attempt to verify the signature against any other information
              will fail.
            </para>
          </listitem>

          <listitem>
            <para>
              The signature can only be produced by one private key.
            </para>
          </listitem>
        </itemizedlist>
      </para>
      <para>
        In the case of RPM, the information being signed is the contents of
        the <filename>.rpm</filename> file itself.
      </para>
      <para>
        A digital signature is just like a regular signature.  It doesn't
        obscure the contents of the document being signed, it just provides a
        method of determining the authenticity of a document.  Here is an
        example of a digital signature turned into printable text:

        <screen width="60">
<computeroutput>
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBMXVGMFIa2NdXHZJZAQFe4AQAz0FZrHdH8o+zkIvcI/4ABg4gfE7cG0xE
Z2J9GVWD2zi4tG+s1+IWEY6Ae17kx925JKrzF4Ti2upAwTN2Pnb/x0G8WJQVKQzP
mZcD+XNnAaYCqFz8iIuAFVLchYeWj1Pqxxq0weGCtjQIrpzrmGxV7xXzK0jus+6V
rML3TxQSwdA=
=T9Mc
-----END PGP SIGNATURE-----
</computeroutput>
        </screen>
      </para>
    </sect2>

    <sect2 id="s2-pgp-intro-all-rpms-signed">
      <title>Do All RPM Packages Have Digital Signatures?</title>

      <para>
        Again, no.  In a perfect world, every .rpm file would be signed.
        However, RPM has no formal requirement that this be the case.  There is
        also no requirement that you do anything special with a signed .rpm
        file.  Think of it as an extra feature that you can take advantage of,
        or not &mdash; it's strictly your choice.
      </para>
    </sect2>

    <sect2 id="s2-pgp-intro-so-much-so-little">
      <title>So Much to Cover, So Little Time</title>
      <indexterm>
        <primary>PGP</primary>
        <secondary>getting more information on</secondary>
      </indexterm>

      <para>
        PGP has a wealth of features, 99% of which we will not cover in this
        book.  For more information on the basics of encryption,
        <citetitle>Applied Cryptography</citetitle>, by Bruce Schneier, contains
        a wealth of information on the subject.  For more details on PGP
        specifically, O'Reilly's <citetitle>PGP: Pretty Good Privacy</citetitle>
        by Simson Garfinkel is an excellent reference.
      </para>
      <para>
        If you'd rather surf the 'Net, use your favorite World Wide Web index
        to hunt for "crypto" or "PGP", and you'll be in business.
      </para>
    </sect2>
  </sect1>

  <sect1 id="s1-pgp-intro-installing-pgp">
    <title>Installing PGP for RPM's Use</title>
    <indexterm>
      <primary>PGP</primary>
      <secondary>setting up for RPM's use</secondary>
    </indexterm>

    <para>
      To use RPM's PGP-related capabilities, you'll need to have PGP installed
      on your system.  If it's installed already, you should be able to flip
      to the chapters on verifying package signatures and signing packages and
      be in business in a matter of minutes.  Otherwise, read on for a
      thumbnail sketch of what's required to install PGP.
    </para>

    <sect2 id="s2-pgp-intro-obtaining-pgp">
      <title>Obtaining PGP</title>
      <indexterm>
        <primary>PGP</primary>
        <secondary>obtaining</secondary>
      </indexterm>

      <para>
        The first step in being able to verify .rpm files is to get a copy of
        PGP.  Unfortunately, this is not quite as simple as it might sound.
        The reason is that PGP is very controversial stuff.
      </para>
      <para>
        Why the controversy?  It centers on PGP's primary mission &mdash; to
        provide a means of communicating with others in complete privacy.  As
        we've discussed, PGP uses encryption to provide this privacy.  Good
        encryption.  <emphasis>Very</emphasis> good encryption.  Encryption so
        good, it appears some of the world's governments consider PGP a threat
        to their national security.
      </para>

      <sect3 id="s3-pgp-intro-know-laws">
        <title>Know Your Laws!</title>
        <indexterm>
          <primary>PGP</primary>
          <secondary>legal, patent issues</secondary>
        </indexterm>

        <para>
          Various countries have differing stances on the use of "strong
          encryption" products such as PGP.  In some countries, possession of
          encryption software is strictly forbidden.  Other countries attempt
          to control the flow of encryption technology into (or out of) their
          country.  It is <emphasis>vital</emphasis> you know your country's
          laws, lest you find yourself in prison, or possibly in front of a
          firing squad!
        </para>
      </sect3>

      <sect3 id="s3-pgp-intro-patent-issues">
        <title>Patent/Licensing Issues Surrounding PGP</title>

        <para>
          Over and above PGP's legal status, there are other aspects to PGP
          that people living in the U.S. and Canada should keep in mind:

          <itemizedlist mark="bullet">
            <listitem>
              <para>
                PGP is free &mdash; for non-commercial use only.  If you are
                going to use PGP for business purposes, you should look into
                getting a commercial copy.  PGP is marketed in the United States
                by:
              </para>

              <para>
                Pretty Good Privacy, Inc.
                <address>
                  <street>
                    2121 S. El Camino Real
                  </street>
                  <otheraddr>
                    Suite 902
                  </otheraddr>
                  <city>San Mateo</city>, <state>CA</state> <postcode>94403</postcode>
                  <phone>(415) 572-0430</phone>
                  <fax>(415) 572-1932</fax>
                  <otheraddr>
                    http://www.pgp.com/
                  </otheraddr>
                </address>
              </para>
            </listitem>

            <listitem>
              <para>
                Part of the software that comprises PGP is protected by
                several United States patents.  Versions of PGP approved for
                use in the U.S. contain a licensed version of this software,
                known as RSAREF.  RSAREF includes a patent license that allows
                the use of the software in noncommercial settings only.
                Commercial use of the technology contained in RSAREF requires
                a separate license.  This is one reason why there are
                restrictions on the commercial use of PGP in the United States
                and Canada.
              </para>
              <para>
                While people outside the U.S. and Canada can use RSAREF-based
                PGP, they will probably choose the so-called "international"
                version.  This version replaces RSAREF with software known as
                MPILIB. MPILIB is, in general, faster than RSAREF, but it
                cannot legally be used in the United States or Canada.
              </para>
            </listitem>
          </itemizedlist>
        </para>
        <para>
          To summarize, if you are using PGP for commercial purposes in the
          U.S. or Canada, you'll need to purchase it.  Otherwise, people
          living in the U.S. or Canada should use a version of PGP
          incorporating RSAREF.  People in other countries can use any version
          of PGP they desire, though they'll probably choose the MPILIB-based
          "international" version
          <footnote>
            <para>
              Note that there are no commercial restrictions regarding PGP in
              countries other than the U.S. and Canada.
            </para>
          </footnote>
          .
        </para>
      </sect3>

      <sect3 id="s3-pgp-intro-rsaref-based-pgp">
        <title>Getting RSAREF-based PGP</title>
        <indexterm>
          <primary>PGP</primary>
          <secondary>obtaining</secondary>
          <tertiary>RSAREF-based version</tertiary>
        </indexterm>

        <para>
          The official source for the latest version of PGP based on RSAREF is
          the Massachusetts Institute of Technology.  Due to the restrictions
          on the export of encryption technology, the process is somewhat
          convoluted.  The easiest way to obtain PGP from the official MIT
          archive is to use the World Wide Web.  Point your web browser at:

          <screen width="60">
<computeroutput>
<ulink url="http://web.mit.edu/network/pgp.html">http://web.mit.edu/network/pgp.html</ulink>
</computeroutput>
          </screen>
        </para>
        <para>
          Simply follow the steps, and you'll have the necessary software on
          your system in no time.
        </para>
        <para>
          There is a more cumbersome method that doesn't use the Web.  It
          involves first using anonymous ftp to obtain several files of
          instructions and license agreements.  You will then be directed to
          use telnet to obtain the name of a temporary ftp directory
          containing the PGP software.  Finally, you can use anonymous ftp to
          retrieve the software.  To start this process, ftp to:

          <screen width="60">
<computeroutput>
<ulink url="ftp://net-dist.mit.edu">ftp://net-dist.mit.edu</ulink>
</computeroutput>
          </screen>
        </para>
        <para>
          Then change directory to:

          <screen width="60">
<computeroutput>
<filename>/pub/PGP</filename>
</computeroutput>
          </screen>
        </para>
        <para>
          Obtain a copy of the file <filename>README</filename> and follow the
          instructions in it <emphasis>exactly</emphasis>.
        </para>
        <para>
          If all this seems like too much trouble, there is another
          alternative.  You can find copies of PGP on just about any BBS, FTP,
          or Web site advertising freely available software.  Be aware,
          however, that "Floyd's Storm Door and BBS Company" may not be as
          trustworthy a place as MIT to obtain encryption software.  It's
          really a question of how paranoid you are.
        </para>
      </sect3>

      <sect3 id="s3-pgp-intro-pgp-outside-us">
        <title>Outside the United States and Canada</title>
        <indexterm>
          <primary>PGP</primary>
          <secondary>obtaining</secondary>
          <tertiary>"international" version</tertiary>
        </indexterm>

        <para>
          For people living in other countries, it is much easier to find PGP
          (depending on the legality of encryption software, of course).  Try
          any of the places you'd normally look for free software.  Keep in
          mind, however, that you shouldn't download PGP from any sites in the
          U.S.  Doing so is considered an "export" of munitions, and can get
          the people responsible for the site in deep trouble.  Wherever you
          eventually get PGP from, since the patents that complicate matters
          for the U.S. do not apply abroad, you'll probably end up with the
          "international" versions of PGP.
        </para>
      </sect3>
    </sect2>

    <sect2 id="s2-pgp-intro-building-pgp">
      <title>Building PGP</title>
      <indexterm>
        <primary>PGP</primary>
        <secondary>building</secondary>
      </indexterm>

      <para>
        Building PGP is mostly a matter of following instructions.  However,
        users of ELF-based Linux distributions (Such as &RHL;) will find that
        PGP will not build.  The problem, according to the PGP FAQ, is that
        two files do not properly handle the C preprocessor directives that
        affect support for ELF.  The changes are to two files:
        <filename>80386.S</filename> and <filename>zmatch.S</filename>.  Near
        the beginning of each, you'll find either a <command>#ifndef</command>
        or a <command>#ifdef</command> for <literal>SYSV</literal>.  If you
        find:

        <screen width="60">
<computeroutput>
#ifndef SYSV
</computeroutput>
        </screen>
      </para>
      <para>
        It should be changed to read:

        <screen width="60">
<computeroutput>
#if !defined(SYSV) && !defined(__ELF__)
</computeroutput>
        </screen>
      </para>
      <para>
        If you find:

        <screen width="60">
<computeroutput>
#ifdef SYSV
</computeroutput>
        </screen>
      </para>
      <para>
        It should be changed to read:

        <screen width="60">
<computeroutput>
#if defined(SYSV) || defined(__ELF__)
</computeroutput>
        </screen>
      </para>
      <para>
        After making these changes, PGP should build with no problems.
      </para>
    </sect2>

    <sect2 id="s2-pgp-intro-ready-to-go">
      <title>Ready to Go!</title>

      <para>
        After building and installing PGP, you're ready to start using RPM's
        package signature capabilities.  If your primary interest is in checking
        the signatures on packages built by someone else, <xref
        linkend="ch-rpm-checksig"> will tell you everything you need to know.
      </para>
      <para>
        On the other hand, if you are a package builder and would like to start
        signing packages, <xref linkend="ch-rpm-pgp"> will have you signing
        packages in no time.
      </para>
    </sect2>
  </sect1>
</appendix>
@


1.1.1.1
log
@Import book 'Maximum RPM' by Ed Bailey, version 1.0
@
text
@@