GPG Sign RPMs
As I build a ‘fair’ amount of RPM’s which are available to other people; I was thinking: how do one actually sign RPM’s with a GPG key.
Well here is what I did to get it working:
# gpg –gen-key
…..
Real name: <your name>
Email adresss: <your email>
Comment: rpm build
……
Remember the passphrase, as you will need to use it with you sign an rpm.
As I build rpm’s on multible PC’s I import this key to all the PC’s / Users on these PC’s
First export the key:
# gpg –export-secret-key KEY; gpg –export KEY) > my-key-for-rpms.asc
KEY can be found with: gpg –list-keys
This key can be imported with gpg –import <keyfile>
Now you have to modify your $HOME/.rpmmacros, add:
%_gpg_name <information>
%_signature gpg
When you do a gpg –list-keys you will see:
pub xxxxx/yyyyyyyyyy <date> <information>
It’s the <information> you have to add to your .rpmmacros.
Now you should be able to sign rpms with either rpm or rpmbuild:
# rpm –addsign <rpm-file>
# rpmbuild –sign -ba <spec.file>
You can see the signature with:
# rpm –checksig <rpm-file>
It should show something like: <rpm-file> (sha1) dsa sha1 md5 gpg OK
Now you’re done….. Have fun.