-
-
Save fernandoaleman/1376720 to your computer and use it in GitHub Desktop.
# How to sign your custom RPM package with GPG key | |
# Step: 1 | |
# Generate gpg key pair (public key and private key) | |
# | |
# You will be prompted with a series of questions about encryption. | |
# Simply select the default values presented. You will also be asked | |
# to create a Real Name, Email Address and Comment (comment optional). | |
# | |
# If you get the following response: | |
# ----------------------------------------------------------------------- | |
# We need to generate a lot of random bytes. It is a good idea to perform | |
# some other action (type on the keyboard, move the mouse, utilize the | |
# disks) during the prime generation; this gives the random number | |
# generator a better chance to gain enough entropy. | |
# ----------------------------------------------------------------------- | |
# Open up a separate terminal, ssh into your server and run this command: | |
# ls -R / | |
gpg --gen-key | |
# Step: 2 | |
# Verify your gpg keys were created | |
gpg --list-keys | |
# Step: 3 | |
# Export your public key from your key ring to a text file. | |
# | |
# You will use the information for Real Name and Email you used to | |
# create your key. I used Fernando Aleman and [email protected] | |
gpg --export -a 'Fernando Aleman' > RPM-GPG-KEY-faleman | |
# Step: 4 | |
# Import your public key to your RPM DB | |
# | |
# If you plan to share your custom built RPM packages with others, make sure | |
# to have your public key file available online so others can verify RPMs | |
sudo rpm --import RPM-GPG-KEY-faleman | |
# Step: 5 | |
# Verify the list of gpg public keys in RPM DB | |
rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' | |
# Step: 6 | |
# Configure your ~/.rpmmacros file | |
# | |
# You can use the following command to edit if you are on the server: | |
# vi ~/.rpmmacros | |
# | |
# %_signature => This will always be gpg | |
# %_gpg_path => Enter full path to .gnupg in your home directory | |
# %_gpg_name => Use the Real Name you used to create your key | |
# %_gpbin => run `which gpg` (without ` marks) to get full path | |
%_signature gpg | |
%_gpg_path /root/.gnupg | |
%_gpg_name Fernando Aleman | |
%_gpgbin /usr/bin/gpg | |
# Step: 7 | |
# Sign your custom RPM package | |
# | |
# You can sign each RPM file individually: | |
rpm --addsign git-1.7.7.3-1.el6.x86_64.rpm | |
# Or you can `cd` into your RPMS folder and sign them all: | |
rpm --addsign *.rpm | |
# Step: 8 | |
# Check the signature to make sure it was signed | |
# | |
# Watch for 'gpg OK' as in this example: | |
# git-1.7.7.3-1.el6.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK | |
rpm --checksig git-1.7.7.3-1.el6.x86_64.rpm | |
# Tip! | |
# Sign package during build | |
# | |
# To sign a package while it's being built, simply add '--sign' | |
rpmbuild -ba --sign git.spec |
Great guide. You need rpm-sign for this to work: sudo dnf install rpm-sign
Does the step 6 is mandatory?
Help. How to sign a rpm package if the key is on the OpenPGP card (YubiKey)? Command: gpg --detach-sign --armor ~/message.txt work with the OpenPGP card. Command: rpm --addsign blabla-1.2-3.el6.x86_64.rpm output: "gpg: signing failed: No secret key Pass phrase check failed or gpg key expired"
$ cat ~/.rpmmacros
%_signature gpg
%_gpg_path /home/chelaxe/.gnupg
%_gpg_name Alexander F. Mikhaylov (ChelAxe)
%_gpgbin /usr/bin/gpg
CentOS 7
Anyone who may encounter this error when signing:
# rpm --addsign <packetname>
<packetname>:
gpg: signing failed: Inappropriate ioctl for device
You may need to set the terminal for GPG key password request screen:
export GPG_TTY=$(tty)
sudo rpm --addsign test.rpm
You must set "%_gpg_name" in your macro file
Anyone facing this issue
Step 8 seems need a fix at command line