RPM packages with my GPG key

Contents

[ hide ]


    GnuPG
    stands for GNU Privacy Guard and is GNU’s tool for secure communication
    and data storage. It can be used to encrypt data and to create digital signatures.
    It includes an advanced key management facility and is compliant with the proposed

    OpenPGP Internet standard as described in RFC 2440.
    As such, it is aimed to be compatible with PGP from NAI, Inc.

    After building your custom RPM package, it’s a good idea to sign the package with your own GPG Key to
    make sure the package is authentic. In this HOWTO, I’ll cover how to generate your own gpg key pair and
    sign your custom RPM package with that key.

    1.) Generate my GPG key
    usrname@core2 : ~ $ gpg –gen-key
    gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
    Your selection?
    RSA keys may be between 1024 and 4096 bits long.
    What keysize do you want? (2048)
    Requested keysize is 2048 bits
    Please specify how long the key should be valid.
    0 = key does not expire
    = key expires in n days
    w = key expires in n weeks
    m = key expires in n months
    y = key expires in n years
    Key is valid for? (0)
    Key does not expire at all
    Is this correct? (y/N) y

    You need a user ID to identify your key; the software constructs the user ID
    from the Real Name, Comment and Email Address in this form:
    “Heinrich Heine (Der Dichter) “

    Real name: You Name
    Email address: youname@youmail.com
    Comment: blackPanther Community
    You selected this USER-ID:
    “You Name (blackPanther Community) “

    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
    You need a Passphrase to protect your secret key.

    We need to generate a lot of random bytes. It is a good idea to perform
    some other action (type on the keyboard, move the mouse, utilize the
    disks) during the prime generation; this gives the random number
    generator a better chance to gain enough entropy.

    Not enough random bytes available. Please do some other work to give
    the OS a chance to collect more entropy! (Need 94 more bytes)
    ……………+++++
    ……+++++
    We need to generate a lot of random bytes. It is a good idea to perform
    some other action (type on the keyboard, move the mouse, utilize the
    disks) during the prime generation; this gives the random number
    generator a better chance to gain enough entropy.

    Not enough random bytes available. Please do some other work to give
    the OS a chance to collect more entropy! (Need 63 more bytes)
    +++++
    +++++
    gpg: key 3295986A marked as ultimately trusted
    public and secret key created and signed.

    gpg: checking the trustdb
    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
    gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
    pub 2048R/3295986A 2010-08-19
    Key fingerprint = AD08 87DB A0FA A43D F99C 9AAF 5DDB 3CB5 3295 986A
    uid You Name
    sub 2048R/95406055 2010-08-19

    2.) Check key(s)

     username@core2 : ~ $ gpg --list-keys
    /home/username/.gnupg/pubring.gpg
    -------------------------------
    pub   2048R/2ACAE00F 2010-08-19
    uid                  You Name
    sub   2048R/AE5E0B3E 2010-08-19
     username@core2 : ~ $

    3.) To extract or export your public key from your key ring to a text file.

     username@core2 : ~ $ gpg --export -a \
    'You Name (blackPanther Community) <youname@youmail.com>' > \
    RPM-GPG-KEY-youname

    This file is necessary to import it to your RPM DB and verify a package with gpg key later on.
    If you’re planning to share your custom built RPM packages with others, make sure to have your public
    key file available online in public so they can verify your custom RPM package.

    4) To import your public key to your RPM DB

    su [1]
    password:  root password
     root@core2 : ~ # rpm --import RPM-GPG-KEY-youname

    5) Let’s verify the list of gpg public keys in RPM DB:

     RPM# rpm -qi gpg-pubkey
    or
     RPM# rpm -q gpg-pubkey --qf \
    '%{name}-%{version}-%{release} --> %{summary}\n'

    6) Final step before the signing, configure your ~/.rpmmacros file to include the following:

     RPM# cat /home/username/.rpmmacros
    %packager              You Name <youname@youmail.com>
    %distribution           blackPanther OS
    %vendor                 blackPanther Community
    %_signature             gpg
    %_gpgbin                /usr/bin/gpg
    %_gpg_path              ~/.gnupg
    %_gpg_name           You Name (blackPanther Community) <youname@youmail.com>
    Important
    %_gpg_name
    The name of the “user” whose key you wish to use to sign your packages.

    7) Now, you’re ready to sign your custom RPM package

     username@core2 ~ $ rpm --addsign imagemagick-6.6.3.7-1bP.i586.rpm
    Enter pass phrase:
    Pass phrase is good.
    imagemagick-6.6.3.7-1bP.i586.rpm:
     username@core2 ~ $

    Note
    I’ve used ‘–addsign’ since this package was not signed before.
    If you wish to over write and re-sign the package, use ‘–resign’ option

    8) To check the signature, use following option and watch for ‘gpg OK’

     ~$ rpm -K imagemagick-6.6.3.7-1bP.i586.rpm
    imagemagick-6.6.3.7-1bP.i586.rpm: (sha1) dsa sha1 md5 gpg OK
    Tip
    To sign a package during it’s been built, simply add ‘–sign’:
    rpmbuild -ba --sign

    This page is a Wiki! Log in or register an account to edit.
    admin

    About admin