Back to main index

GPG & RPM

There are 3 ways to sign a RPM package:
 • when it is built
 • re-sign a package that's already been signed
 • sign an existing RPM that has no signature

1. Generate a new gpg secret key - see tutorial:
$ gpg --full-generate-key

Select (1) RSA and RSA (default)
Select keysize (3072) (default)
Select how long the key should be valid.
    0 = key does not expire

Real name: Mihai Vasilian
Email address: grayasm@gmail.com
Comment: RPM Signing Key
You selected this USER-ID:
    "Mihai Vasilian (RPM Signing Key) <grayasm@gmail.com>"

Type a secure passphrase.
Done.
2. List all secret keys:
$ gpg --list-secret-keys

/home/mihai/.gnupg/pubring.kbx
------------------------------
sec   rsa3072 2022-10-08 [SC]
      6EE6BDF08BF51743ABE189E89C03756E10264874
uid           [ultimate] Mihai Vasilian (RPM Signing Key) 
ssb   rsa3072 2022-10-08 [E]
3. Print the GPG key ID, in ASCII armor format:
$ gpg --armor --export 6EE6BDF08BF51743ABE189E89C03756E10264874

Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK-----
and ending with -----END PGP PUBLIC KEY BLOCK-----
and save it as RPM-GPG-KEY-vasilian

4. Check if the gpg-agent is running:
$ gpg-agent --daemon
gpg-agent: a gpg-agent is already running - not starting a new one
5. To remove a secret key use:
$ gpg --delete-secret-key 6EE6BDF08BF51743ABE189E89C03756E10264874
6. Set the secret key for rpmbuild
edit $HOME/.rpmmacros and add 3 lines:
%_signature    gpg
%_gpg_path     /home/mihai/.gnupg
%_gpg_name     Mihai Vasilian (RPM Signing Key) <grayasm@gmail.com>
7. Build and sign the rpm package using:
$ rpmbuild -v --bb --clean SPECS/sign3.spec
$ rpmsign --addsign ./RPMS/x86_64/sign3-0.1-1.el7.x86_64.rpm
Back to main index