Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
How to sign your custom RPM package with GPG key
# How to sign your custom RPM package with GPG key
# Step: 1
# Generate gpg key pair (public key and private key)
# You will be prompted with a series of questions about encryption.
# Simply select the default values presented. You will also be asked
# to create a Real Name, Email Address and Comment (comment optional).
# If you get the following response:
# -----------------------------------------------------------------------
# We need to generate a lot of random bytes. It is a good idea to perform
# some other action (type on the keyboard, move the mouse, utilize the
# disks) during the prime generation; this gives the random number
# generator a better chance to gain enough entropy.
# -----------------------------------------------------------------------
# Open up a separate terminal, ssh into your server and run this command:
# ls -R /
gpg --gen-key
# Step: 2
# Verify your gpg keys were created
gpg --list-keys
# Step: 3
# Export your public key from your key ring to a text file.
# You will use the information for Real Name and Email you used to
# create your key. I used Fernando Aleman and
gpg --export -a 'Fernando Aleman' > RPM-GPG-KEY-faleman
# Step: 4
# Import your public key to your RPM DB
# If you plan to share your custom built RPM packages with others, make sure
# to have your public key file available online so others can verify RPMs
sudo rpm --import RPM-GPG-KEY-faleman
# Step: 5
# Verify the list of gpg public keys in RPM DB
rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
# Step: 6
# Configure your ~/.rpmmacros file
# You can use the following command to edit if you are on the server:
# vi ~/.rpmmacros
# %_signature => This will always be gpg
# %_gpg_path => Enter full path to .gnupg in your home directory
# %_gpg_name => Use the Real Name you used to create your key
# %_gpbin => run `which gpg` (without ` marks) to get full path
%_signature gpg
%_gpg_path /root/.gnupg
%_gpg_name Fernando Aleman
%_gpgbin /usr/bin/gpg
# Step: 7
# Sign your custom RPM package
# You can sign each RPM file individually:
rpm --addsign git-
# Or you can `cd` into your RPMS folder and sign them all:
rpm --addsign *.rpm
# Step: 8
# Check the signature to make sure it was signed
# Watch for 'gpg OK' as in this example:
# git- (sha1) dsa sha1 md5 gpg OK
rpm --checksig git-
# Tip!
# Sign package during build
# To sign a package while it's being built, simply add '--sign'
rpmbuild -ba --sign git.spec
Copy link

landro commented Aug 11, 2017

Copy link

ZhouLihua commented Oct 22, 2018

Good guide

Copy link

wkolpakov commented Nov 17, 2018

Step 8 seems need a fix at command line

Copy link

claudemartin commented Nov 29, 2018

Great guide. You need rpm-sign for this to work: sudo dnf install rpm-sign

Copy link

dapiced commented Dec 4, 2018

Does the step 6 is mandatory?

Copy link

chelaxe commented Feb 2, 2019

Help. How to sign a rpm package if the key is on the OpenPGP card (YubiKey)? Command: gpg --detach-sign --armor ~/message.txt work with the OpenPGP card. Command: rpm --addsign blabla-1.2-3.el6.x86_64.rpm output: "gpg: signing failed: No secret key Pass phrase check failed or gpg key expired"

$ cat ~/.rpmmacros
%_signature gpg
%_gpg_path /home/chelaxe/.gnupg
%_gpg_name Alexander F. Mikhaylov (ChelAxe)
%_gpgbin /usr/bin/gpg

CentOS 7

Copy link

ezhario commented Dec 20, 2019

Anyone who may encounter this error when signing:

# rpm --addsign <packetname>
gpg: signing failed: Inappropriate ioctl for device

You may need to set the terminal for GPG key password request screen:
export GPG_TTY=$(tty)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment