There are 3 ways to sign a RPM package:
• when it is built
• re-sign a package that's already been signed
• sign an existing RPM that has no signature
$ gpg --full-generate-key Select (1) RSA and RSA (default) Select keysize (3072) (default) Select how long the key should be valid. 0 = key does not expire Real name: Mihai Vasilian Email address: grayasm@gmail.com Comment: RPM Signing Key You selected this USER-ID: "Mihai Vasilian (RPM Signing Key) <grayasm@gmail.com>" Type a secure passphrase. Done.2. List all secret keys:
$ gpg --list-secret-keys /home/mihai/.gnupg/pubring.kbx ------------------------------ sec rsa3072 2022-10-08 [SC] 6EE6BDF08BF51743ABE189E89C03756E10264874 uid [ultimate] Mihai Vasilian (RPM Signing Key)3. Print the GPG key ID, in ASCII armor format:ssb rsa3072 2022-10-08 [E]
$ gpg --armor --export 6EE6BDF08BF51743ABE189E89C03756E10264874
Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK-----
and ending with -----END PGP PUBLIC KEY BLOCK-----
and save it as RPM-GPG-KEY-vasilian
$ gpg --delete-secret-key 6EE6BDF08BF51743ABE189E89C03756E102648745. Install old GPG keys on a new machine:
If you already have the keys in the email then saving them in ~/.gnupg is enough
to make gnupg import the keys automatically.
mkdir ~/.gnupg cd ~/.gnupg mv ~/Downloads/pubring.gpg . mv ~/Downloads/secring.gpg . chcon -t gpg_secret_t -v pubring.gpg chcon -t gpg_secret_t -v secring.gpg cd ~ gpg --list-keys gpg --list-secret-keys6. Get GPG keys from an old computer:
If you forgot to save the keys but still have the computer where the keys were
generated then export them as indicated
here
with:
gpg --output pubring.gpg --armor --export grayasm@gmail.com gpg --output secring.gpg --armor --export-secret-key grayasm@gmail.com7. Check if the gpg-agent is running:
$ gpg-agent --daemon gpg-agent: a gpg-agent is already running - not starting a new one8. Set the secret key for rpmbuild
edit $HOME/.rpmmacros and add 3 lines:
%_signature gpg %_gpg_path /home/mihai/.gnupg %_gpg_name Mihai Vasilian (RPM Signing Key) <grayasm@gmail.com>9. Build and sign the rpm package using:
$ rpmbuild -v --bb --clean SPECS/sign3.spec $ rpmsign --addsign ./RPMS/x86_64/sign3-0.1-1.el7.x86_64.rpmBack to main index