GPG Sign RPMs

As I build a 'fair' amount of RPM's which are available to other people; I was thinking: how do one actually sign RPM's with a GPG key.

Well here is what I did to get it working:

# gpg --gen-key

.....

Real name: <your name>

Email adresss: <your email>

Comment: rpm build

......

Remember the passphrase, as you will need to use it with you sign an rpm.

As I build rpm's on multible PC's I import this key to all the PC's / Users on these PC's

First export the key:

# gpg --export-secret-key KEY; gpg --export KEY) > my-key-for-rpms.asc

KEY can be found with: gpg --list-keys

This key can be imported with gpg --import <keyfile>

Now you have to modify your $HOME/.rpmmacros, add:

%_gpg_name <information>

%_signature gpg

When you do a gpg --list-keys you will see:

pub xxxxx/yyyyyyyyyy <date> <information>

It's the <information> you have to add to your .rpmmacros.

Now you should be able to sign rpms with either rpm or rpmbuild:

# rpm --addsign <rpm-file>

# rpmbuild --sign -ba <spec.file>

You can see the signature with:

# rpm --checksig <rpm-file>

It should show something like: <rpm-file> (sha1) dsa sha1 md5 gpg OK

Now you're done..... Have fun.

Comments

Popular posts from this blog

Apple AirPort Express and Digital Jitter..

EIZO Colornavigator - Data Access Error

Using Borg backup across SSH with sshkeys