GPG & RPM

There are 3 ways to sign a RPM package:
 • when it is built
 • re-sign a package that's already been signed
 • sign an existing RPM that has no signature

$ gpg --full-generate-key

Select (1) RSA and RSA (default)
Select keysize (3072) (default)
Select how long the key should be valid.
    0 = key does not expire

Real name: Mihai Vasilian
Email address: grayasm@gmail.com
Comment: RPM Signing Key
You selected this USER-ID:
    "Mihai Vasilian (RPM Signing Key) <grayasm@gmail.com>"

Type a secure passphrase.
Done.

$ gpg --list-secret-keys

/home/mihai/.gnupg/pubring.kbx
------------------------------
sec   rsa3072 2022-10-08 [SC]
      6EE6BDF08BF51743ABE189E89C03756E10264874
uid           [ultimate] Mihai Vasilian (RPM Signing Key) 
ssb   rsa3072 2022-10-08 [E]

$ gpg --armor --export 6EE6BDF08BF51743ABE189E89C03756E10264874

Copy your GPG key, beginning with -----BEGIN PGP PUBLIC KEY BLOCK-----
and ending with -----END PGP PUBLIC KEY BLOCK-----
and save it as RPM-GPG-KEY-vasilian

$ gpg --delete-secret-key 6EE6BDF08BF51743ABE189E89C03756E10264874

If you already have the keys in the email then saving them in ~/.gnupg is enough
to make gnupg import the keys automatically.

mkdir ~/.gnupg
cd ~/.gnupg
mv ~/Downloads/pubring.gpg .
mv ~/Downloads/secring.gpg .
chcon -t gpg_secret_t -v pubring.gpg
chcon -t gpg_secret_t -v secring.gpg
cd ~
gpg --list-keys
gpg --list-secret-keys

If you forgot to save the keys but still have the computer where the keys were
generated then export them as indicated here with:

gpg --output pubring.gpg --armor --export grayasm@gmail.com
gpg --output secring.gpg --armor --export-secret-key grayasm@gmail.com

$ gpg-agent --daemon
gpg-agent: a gpg-agent is already running - not starting a new one

edit $HOME/.rpmmacros and add 3 lines:

%_signature    gpg
%_gpg_path     /home/mihai/.gnupg
%_gpg_name     Mihai Vasilian (RPM Signing Key) <grayasm@gmail.com>

$ rpmbuild -v --bb --clean SPECS/sign3.spec
$ rpmsign --addsign ./RPMS/x86_64/sign3-0.1-1.el7.x86_64.rpm