Back to main index


There are 3 ways to sign a RPM package:
 • when it is built
 • re-sign a package that's already been signed
 • sign an existing RPM that has no signature

1. Generate a new gpg secret key - see tutorial:
$ gpg --full-generate-key

Select (1) RSA and RSA (default)
Select keysize (3072) (default)
Select how long the key should be valid.
    0 = key does not expire

Real name: Mihai Vasilian
Email address:
Comment: RPM Signing Key
You selected this USER-ID:
    "Mihai Vasilian (RPM Signing Key) <>"

Type a secure passphrase.
2. List all secret keys:
$ gpg --list-secret-keys

sec   rsa3072 2022-10-08 [SC]
uid           [ultimate] Mihai Vasilian (RPM Signing Key) 
ssb   rsa3072 2022-10-08 [E]
3. Print the GPG key ID, in ASCII armor format:
$ gpg --armor --export 6EE6BDF08BF51743ABE189E89C03756E10264874

Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK-----
and ending with -----END PGP PUBLIC KEY BLOCK-----
and save it as RPM-GPG-KEY-vasilian

4. To remove a secret key use:
$ gpg --delete-secret-key 6EE6BDF08BF51743ABE189E89C03756E10264874
5. Install old GPG keys on a new machine:

If you already have the keys in the email then saving them in ~/.gnupg is enough
to make gnupg import the keys automatically.

mkdir ~/.gnupg
cd ~/.gnupg
mv ~/Downloads/pubring.gpg .
mv ~/Downloads/secring.gpg .
chcon -t gpg_secret_t -v pubring.gpg
chcon -t gpg_secret_t -v secring.gpg
cd ~
gpg --list-keys
gpg --list-secret-keys
6. Get GPG keys from an old computer:

If you forgot to save the keys but still have the computer where the keys were
generated then export them as indicated here with:

gpg --output pubring.gpg --armor --export
gpg --output secring.gpg --armor --export-secret-key
7. Check if the gpg-agent is running:
$ gpg-agent --daemon
gpg-agent: a gpg-agent is already running - not starting a new one
8. Set the secret key for rpmbuild

edit $HOME/.rpmmacros and add 3 lines:

%_signature    gpg
%_gpg_path     /home/mihai/.gnupg
%_gpg_name     Mihai Vasilian (RPM Signing Key) <>
9. Build and sign the rpm package using:
$ rpmbuild -v --bb --clean SPECS/sign3.spec
$ rpmsign --addsign ./RPMS/x86_64/sign3-0.1-1.el7.x86_64.rpm
Back to main index