Forked from fernandoaleman/rpm-digital-signature.sh
Last active
August 21, 2018 06:40
-
-
Save jarryDk/c7da199f15d61215463e4af0f5ba0cb3 to your computer and use it in GitHub Desktop.
How to sign your custom RPM package with GPG key
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # How to sign your custom RPM package with GPG key | |
| # Step: 1 | |
| # Generate gpg key pair (public key and private key) | |
| # | |
| # You will be prompted with a series of questions about encryption. | |
| # Simply select the default values presented. You will also be asked | |
| # to create a Real Name, Email Address and Comment (comment optional). | |
| # | |
| # If you get the following response: | |
| # ----------------------------------------------------------------------- | |
| # We need to generate a lot of random bytes. It is a good idea to perform | |
| # some other action (type on the keyboard, move the mouse, utilize the | |
| # disks) during the prime generation; this gives the random number | |
| # generator a better chance to gain enough entropy. | |
| # ----------------------------------------------------------------------- | |
| # Open up a separate terminal, ssh into your server and run this command: | |
| # ls -R / | |
| gpg2 --full-gen-key | |
| # Step: 2 | |
| # Verify your gpg keys were created | |
| gpg2 --list-keys --keyid-format LONG | |
| # Step: 3 | |
| # Export your public key from your key ring to a text file. | |
| # | |
| # You will use the information for Real Name and Email you used to | |
| # create your key. I used Michael Bornholdt Nielsen and michaelbornholdtnielsen@gmail.com | |
| gpg2 --export --armor 'Michael Bornholdt Nielsen' > RPM-GPG-KEY-michaelbornholdtnielsen | |
| # Step: 4 | |
| # Import your public key to your RPM DB | |
| # | |
| # If you plan to share your custom built RPM packages with others, make sure | |
| # to have your public key file available online so others can verify RPMs | |
| sudo rpm --import RPM-GPG-KEY-michaelbornholdtnielsen | |
| # Step: 5 | |
| # Verify the list of gpg public keys in RPM DB | |
| rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' | |
| # Step: 6 | |
| # Configure your ~/.rpmmacros file | |
| # | |
| # You can use the following command to edit if you are on the server: | |
| # vi ~/.rpmmacros | |
| # | |
| # %_signature => This will always be gpg | |
| # %_gpg_path => Enter full path to .gnupg in your home directory | |
| # %_gpg_name => Use the Real Name you used to create your key | |
| # %_gpbin => run `which gpg` (without ` marks) to get full path | |
| %_signature gpg | |
| %_gpg_path /home/mni/.gnupg | |
| %_gpg_name Michael Bornholdt Nielsen | |
| # Step: 7 | |
| # Sign your custom RPM package | |
| # | |
| # You can sign each RPM file individually: | |
| rpm --addsign git-1.7.7.3-1.el6.x86_64.rpm | |
| # Or you can `cd` into your RPMS folder and sign them all: | |
| rpm --addsign *.rpm | |
| # Step: 8 | |
| # Check the signature to make sure it was signed | |
| # | |
| # Watch for 'gpg OK' as in this example: | |
| # git-1.7.7.3-1.el6.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK | |
| rpm --checksig git-1.7.7.3-1.el6.x86_64.rpm | |
| # Tip! | |
| # Sign package during build | |
| # | |
| # To sign a package while it's being built, simply add '--sign' | |
| rpmbuild -ba --sign git.spec |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment