[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: rpm sign packages

David Hláčik wrote:
> Hello , i am searching for a reasonable howto, documentiation for
> Signing Custom RPM packages.

Can you give more detail on where you're getting stuck at?

As Ed asked, have you read the rpm man page?

I don't know of a howto off the top of my head, but the process it
pretty simple, so I'll try to detail it quickly.

If you don't already have a gpg key, you'll need to generate one using
"gpg --gen-key" and filling in the prompts.

Next, tell rpm what key you want to use to sign in ~/.rpmmacros:

%_gpg_name your_key example com

(You can use the email address of the key or the key id to identify
the key.)

Then, just use rpm --addsign /path/to/some.rpm and enter the
passphrase when prompted.

In order to verify packages signed with your key you need to import
the key into the rpm database.

To export the key from gpg:

$ gpg -a --export your_key example com > RPM-GPG-KEY-example

To import the key to the rpm database:

$ su -c 'rpm --import RPM-GPG-KEY-example'

To verify a package you have signed:

$ rpm -K /path/to/some.rpm
/path/to/some.rpm: (sha1) dsa sha1 md5 gpg OK

To sign a package when building it:

$ rpmbuild -ba --sign some.spec

That should be all you need.

After a quick google, I also turned up this howto:


It lists the steps pretty much as I have listed them above, often with
a little more detail.  Perhaps you'll find it helpful.  [Two things
you can ignore about it are the '%_signature gpg' part in ~/.rpmmacros
and the use of --resign, as that option is the same as --addsign these

Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
Common sense is genius dressed in its working clothes.
    -- Ralph Waldo Emerson

Attachment: pgp9QRljSv38m.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]