Installation guide
4.2.2. Signing packages
Before signing packages, configure the ~/.rpm m acros file to include the following:
%_signature gpg
%_gpg_nam e B7085C8A
Replace the _gpg_name key ID value of B7085C8A with the key ID from your GPG keyring that you use
to sign packages. This value tells RPM which signature to use.
To sign the package package-name-1.0-1.noarch.rpm, use the following command:
rpm --resign package-name-1.0-1.noarch.rpm
Enter your passphrase. T o make sure the package is signed, use the following command:
rpm --checksig -v package-name-1.0-1.noarch.rpm
Note
Before running the rpm --checksig -v command, import the gpg key. See Section 4.3,
“Importing Custom GPG Keys” in the next section for more information.
You should see the phrase Good signature from "Your Name" in the output, with Your Name replaced
with the name associated with the signing key.
4.3. Importing Custom GPG Keys
For customers who plan to build and distribute their own RPMs securely, it is strongly recommended that
all custom RPMs are signed using GNU Privacy Guard (GPG). Generating GPG keys and building GPG-
signed packages are covered in theSection 4.2.1, “Generating a GnuPG Keypair”.
Once the packages are signed, the public key must be deployed on all systems importing these RPMs.
This task has two steps: first, create a central location for the public key so that clients may retrieve it,
and second, adding the key to the local GPG keyring for each system.
The first step is common and may be handled using the website approach recommended for deploying
Red Hat Network client applications. To do this, create a public directory on the Web server and place
the GPG public signature in it:
cp /some/path/YOUR -RPM-GPG-KEY /var/www/html/pub/
The key can then be downloaded by client systems using Wget :
wget -O- -q http://your_proxy_or_sat.your_domain.com/pub/YOUR-R PM-GPG-KEY
The -O- option sends results to standard output while the -q option sets Wget to run in quiet mode.
Remember to replace the YOUR-RPM-GPG-KEY variable with the filename of your key.
Once the key is available on the client file system, import it into the local GPG keyring. Different operating
systems require different methods.
Chapter 4. Custom Package Management
63