-
-
Save fernandoaleman/1376720 to your computer and use it in GitHub Desktop.
| # How to sign your custom RPM package with GPG key | |
| # Step: 1 | |
| # Generate gpg key pair (public key and private key) | |
| # | |
| # You will be prompted with a series of questions about encryption. | |
| # Simply select the default values presented. You will also be asked | |
| # to create a Real Name, Email Address and Comment (comment optional). | |
| # | |
| # If you get the following response: | |
| # ----------------------------------------------------------------------- | |
| # We need to generate a lot of random bytes. It is a good idea to perform | |
| # some other action (type on the keyboard, move the mouse, utilize the | |
| # disks) during the prime generation; this gives the random number | |
| # generator a better chance to gain enough entropy. | |
| # ----------------------------------------------------------------------- | |
| # Open up a separate terminal, ssh into your server and run this command: | |
| # ls -R / | |
| gpg --gen-key | |
| # Step: 2 | |
| # Verify your gpg keys were created | |
| gpg --list-keys | |
| # Step: 3 | |
| # Export your public key from your key ring to a text file. | |
| # | |
| # You will use the information for Real Name and Email you used to | |
| # create your key. I used Fernando Aleman and [email protected] | |
| gpg --export -a 'Fernando Aleman' > RPM-GPG-KEY-faleman | |
| # Step: 4 | |
| # Import your public key to your RPM DB | |
| # | |
| # If you plan to share your custom built RPM packages with others, make sure | |
| # to have your public key file available online so others can verify RPMs | |
| sudo rpm --import RPM-GPG-KEY-faleman | |
| # Step: 5 | |
| # Verify the list of gpg public keys in RPM DB | |
| rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' | |
| # Step: 6 | |
| # Configure your ~/.rpmmacros file | |
| # | |
| # You can use the following command to edit if you are on the server: | |
| # vi ~/.rpmmacros | |
| # | |
| # %_signature => This will always be gpg | |
| # %_gpg_path => Enter full path to .gnupg in your home directory | |
| # %_gpg_name => Use the Real Name you used to create your key | |
| # %_gpbin => run `which gpg` (without ` marks) to get full path | |
| %_signature gpg | |
| %_gpg_path /root/.gnupg | |
| %_gpg_name Fernando Aleman | |
| %_gpgbin /usr/bin/gpg | |
| # Step: 7 | |
| # Sign your custom RPM package | |
| # | |
| # You can sign each RPM file individually: | |
| rpm --addsign git-1.7.7.3-1.el6.x86_64.rpm | |
| # Or you can `cd` into your RPMS folder and sign them all: | |
| rpm --addsign *.rpm | |
| # Step: 8 | |
| # Check the signature to make sure it was signed | |
| # | |
| # Watch for 'gpg OK' as in this example: | |
| # git-1.7.7.3-1.el6.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK | |
| rpm --checksig git-1.7.7.3-1.el6.x86_64.rpm | |
| # Tip! | |
| # Sign package during build | |
| # | |
| # To sign a package while it's being built, simply add '--sign' | |
| rpmbuild -ba --sign git.spec |
Good guide
Step 8 seems need a fix at command line
Great guide. You need rpm-sign for this to work: sudo dnf install rpm-sign
Does the step 6 is mandatory?
Help. How to sign a rpm package if the key is on the OpenPGP card (YubiKey)? Command: gpg --detach-sign --armor ~/message.txt work with the OpenPGP card. Command: rpm --addsign blabla-1.2-3.el6.x86_64.rpm output: "gpg: signing failed: No secret key Pass phrase check failed or gpg key expired"
$ cat ~/.rpmmacros
%_signature gpg
%_gpg_path /home/chelaxe/.gnupg
%_gpg_name Alexander F. Mikhaylov (ChelAxe)
%_gpgbin /usr/bin/gpg
CentOS 7
Anyone who may encounter this error when signing:
# rpm --addsign <packetname>
<packetname>:
gpg: signing failed: Inappropriate ioctl for device
You may need to set the terminal for GPG key password request screen:
export GPG_TTY=$(tty)
sudo rpm --addsign test.rpm
You must set "%_gpg_name" in your macro file
Anyone facing this issue
it should be %__gpg instead of %_gpgbin in never versions of rpm:
https://github.com/rpm-software-management/rpm/blob/50c380e9e0a0878b7d5214fe3b2048bf9544a146/macros.in#L35