There are 3 ways to sign a RPM package:
• when it is built
• re-sign a package that's already been signed
• sign an existing RPM that has no signature
$ gpg --full-generate-key
Select (1) RSA and RSA (default)
Select keysize (3072) (default)
Select how long the key should be valid.
0 = key does not expire
Real name: Mihai Vasilian
Email address: grayasm@gmail.com
Comment: RPM Signing Key
You selected this USER-ID:
"Mihai Vasilian (RPM Signing Key) <grayasm@gmail.com>"
Type a secure passphrase.
Done.
2. List all secret keys:
$ gpg --list-secret-keys
/home/mihai/.gnupg/pubring.kbx
------------------------------
sec rsa3072 2022-10-08 [SC]
6EE6BDF08BF51743ABE189E89C03756E10264874
uid [ultimate] Mihai Vasilian (RPM Signing Key)
ssb rsa3072 2022-10-08 [E]
3. Print the GPG key ID, in ASCII armor format:
$ gpg --armor --export 6EE6BDF08BF51743ABE189E89C03756E10264874
Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK-----
and ending with -----END PGP PUBLIC KEY BLOCK-----
and save it as RPM-GPG-KEY-vasilian
$ gpg-agent --daemon gpg-agent: a gpg-agent is already running - not starting a new one5. To remove a secret key use:
$ gpg --delete-secret-key 6EE6BDF08BF51743ABE189E89C03756E102648746. Set the secret key for rpmbuild
%_signature gpg %_gpg_path /home/mihai/.gnupg %_gpg_name Mihai Vasilian (RPM Signing Key) <grayasm@gmail.com>7. Build and sign the rpm package using:
$ rpmbuild -v --bb --clean SPECS/sign3.spec $ rpmsign --addsign ./RPMS/x86_64/sign3-0.1-1.el7.x86_64.rpmBack to main index