There are 3 ways to sign a RPM package:
• when it is built
• re-sign a package that's already been signed
• sign an existing RPM that has no signature
$ gpg --full-generate-key Select (1) RSA and RSA (default) Select keysize (3072) (default) Select how long the key should be valid. 0 = key does not expire Real name: Mihai Vasilian Email address: grayasm@gmail.com Comment: RPM Signing Key You selected this USER-ID: "Mihai Vasilian (RPM Signing Key) <grayasm@gmail.com>" Type a secure passphrase. Done.2. List all secret keys:
$ gpg --list-secret-keys /home/mihai/.gnupg/pubring.kbx ------------------------------ sec rsa3072 2022-10-08 [SC] 6EE6BDF08BF51743ABE189E89C03756E10264874 uid [ultimate] Mihai Vasilian (RPM Signing Key)3. Print the GPG key ID, in ASCII armor format:ssb rsa3072 2022-10-08 [E]
$ gpg --armor --export 6EE6BDF08BF51743ABE189E89C03756E10264874
Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK-----
and ending with -----END PGP PUBLIC KEY BLOCK-----
and save it as RPM-GPG-KEY-vasilian
$ gpg-agent --daemon gpg-agent: a gpg-agent is already running - not starting a new one5. To remove a secret key use:
$ gpg --delete-secret-key 6EE6BDF08BF51743ABE189E89C03756E102648746. Set the secret key for rpmbuild
%_signature gpg %_gpg_path /home/mihai/.gnupg %_gpg_name Mihai Vasilian (RPM Signing Key) <grayasm@gmail.com>7. Build and sign the rpm package using:
$ rpmbuild -v --bb --clean SPECS/sign3.spec $ rpmsign --addsign ./RPMS/x86_64/sign3-0.1-1.el7.x86_64.rpmBack to main index