frankwis/rpm-digital-signature.sh

## rpm-digital-signature.sh
# How to sign your custom RPM package with GPG key

# Step: 1
# Generate gpg key pair (public key and private key)
#
# You will be prompted with a series of questions about encryption.
# Simply select the default values presented. You will also be asked
# to create a Real Name, Email Address and Comment (comment optional).
#
# If you get the following response:
# -----------------------------------------------------------------------
# We need to generate a lot of random bytes. It is a good idea to perform
# some other action (type on the keyboard, move the mouse, utilize the
# disks) during the prime generation; this gives the random number
# generator a better chance to gain enough entropy.
# -----------------------------------------------------------------------
# Open up a separate terminal, ssh into your server and run this command:
# ls -R /

gpg --gen-key

# Step: 2
# Verify your gpg keys were created

gpg --list-keys

# Step: 3
# Export your public key from your key ring to a text file.
#
# You will use the information for Real Name and Email you used to
# create your key. I used Fernando Aleman and faleman@email.com

gpg --export -a 'Fernando Aleman' > RPM-GPG-KEY-faleman

# Step: 4
# Import your public key to your RPM DB
#
# If you plan to share your custom built RPM packages with others, make sure
# to have your public key file available online so others can verify RPMs

sudo rpm --import RPM-GPG-KEY-faleman

# Step: 5
# Verify the list of gpg public keys in RPM DB

rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'

# Step: 6
# Configure your ~/.rpmmacros file
#
# You can use the following command to edit if you are on the server:
# vi ~/.rpmmacros
#
# %_signature => This will always be gpg
# %_gpg_path  => Enter full path to .gnupg in your home directory
# %_gpg_name  => Use the Real Name you used to create your key
# %_gpbin     => run `which gpg` (without ` marks) to get full path

%_signature gpg
%_gpg_path /root/.gnupg
%_gpg_name Fernando Aleman
%_gpgbin /usr/bin/gpg

# Step: 7
# Sign your custom RPM package
#
# You can sign each RPM file individually:

rpm --addsign git-1.7.7.3-1.el6.x86_64.rpm

# Or you can `cd` into your RPMS folder and sign them all:

rpm --addsign *.rpm

# Step: 8
# Check the signature to make sure it was signed
#
# Watch for 'gpg OK' as in this example:
# git-1.7.7.3-1.el6.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK

rpm --checksig git-1.7.7.3-1.el6.x86_64.rpm

# Tip!
# Sign package during build
#
# To sign a package while it's being built, simply add '--sign'

rpmbuild -ba --sign git.spec
	# How to sign your custom RPM package with GPG key

	# Step: 1
	# Generate gpg key pair (public key and private key)
	#
	# You will be prompted with a series of questions about encryption.
	# Simply select the default values presented. You will also be asked
	# to create a Real Name, Email Address and Comment (comment optional).
	#
	# If you get the following response:
	# -----------------------------------------------------------------------
	# We need to generate a lot of random bytes. It is a good idea to perform
	# some other action (type on the keyboard, move the mouse, utilize the
	# disks) during the prime generation; this gives the random number
	# generator a better chance to gain enough entropy.
	# -----------------------------------------------------------------------
	# Open up a separate terminal, ssh into your server and run this command:
	# ls -R /

	gpg --gen-key

	# Step: 2
	# Verify your gpg keys were created

	gpg --list-keys

	# Step: 3
	# Export your public key from your key ring to a text file.
	#
	# You will use the information for Real Name and Email you used to
	# create your key. I used Fernando Aleman and faleman@email.com

	gpg --export -a 'Fernando Aleman' > RPM-GPG-KEY-faleman

	# Step: 4
	# Import your public key to your RPM DB
	#
	# If you plan to share your custom built RPM packages with others, make sure
	# to have your public key file available online so others can verify RPMs

	sudo rpm --import RPM-GPG-KEY-faleman

	# Step: 5
	# Verify the list of gpg public keys in RPM DB

	rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'

	# Step: 6
	# Configure your ~/.rpmmacros file
	#
	# You can use the following command to edit if you are on the server:
	# vi ~/.rpmmacros
	#
	# %_signature => This will always be gpg
	# %_gpg_path => Enter full path to .gnupg in your home directory
	# %_gpg_name => Use the Real Name you used to create your key
	# %_gpbin => run `which gpg` (without ` marks) to get full path

	%_signature gpg
	%_gpg_path /root/.gnupg
	%_gpg_name Fernando Aleman
	%_gpgbin /usr/bin/gpg

	# Step: 7
	# Sign your custom RPM package
	#
	# You can sign each RPM file individually:

	rpm --addsign git-1.7.7.3-1.el6.x86_64.rpm

	# Or you can `cd` into your RPMS folder and sign them all:

	rpm --addsign *.rpm

	# Step: 8
	# Check the signature to make sure it was signed
	#
	# Watch for 'gpg OK' as in this example:
	# git-1.7.7.3-1.el6.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK

	rpm --checksig git-1.7.7.3-1.el6.x86_64.rpm

	# Tip!
	# Sign package during build
	#
	# To sign a package while it's being built, simply add '--sign'

	rpmbuild -ba --sign git.spec