|
NAME | SYNOPSIS | DESCRIPTION | SEE ALSO | AUTHORS | COLOPHON |
RPMSIGN(8) System Manager's Manual RPMSIGN(8)
rpmsign - RPM Package Signing
SIGNING PACKAGES:
rpm --addsign|--resign [rpmsign-options] PACKAGE_FILE ...
rpm --delsign PACKAGE_FILE ...
rpmsign-options
[--rpmv3] [--fskpath KEY] [--signfiles]
Both of the --addsign and --resign options generate and insert new
signatures for each package PACKAGE_FILE given, replacing any
existing signatures. There are two options for historical reasons,
there is no difference in behavior currently.
To create a signature rpm needs to verify the package's checksum. As
a result packages with a MD5/SHA1 checksums cannot be signed in FIPS
mode.
rpm --delsign PACKAGE_FILE ...
Delete all signatures from each package PACKAGE_FILE given.
SIGN OPTIONS
--rpmv3
Force RPM V3 header+payload signature addition. These are
expensive and redundant baggage on packages where a separate
payload digest exists (packages built with rpm >= 4.14). Rpm
will automatically detect the need for V3 signatures, but this
option can be used to force their creation if the packages
must be fully signature verifiable with rpm < 4.14 or other
interoperability reasons.
--fskpath KEY
Used with --signfiles, use file signing key Key.
--signfiles
Sign package files. The macro %_binary_filedigest_algorithm
must be set to a supported algorithm before building the
package. The supported algorithms are SHA1, SHA256, SHA384,
and SHA512, which are represented as 2, 8, 9, and 10
respectively. The file signing key (RSA private key) must be
set before signing the package, it can be configured on the
command line with --fskpath or the macro %_file_signing_key.
USING GPG TO SIGN PACKAGES
In order to sign packages using GPG, rpm must be configured to run
GPG and be able to find a key ring with the appropriate keys. By
default, rpm uses the same conventions as GPG to find key rings,
namely the $GNUPGHOME environment variable. If your key rings are
not located where GPG expects them to be, you will need to configure
the macro %_gpg_path to be the location of the GPG key rings to use.
If you want to be able to sign packages you create yourself, you also
need to create your own public and secret key pair (see the GPG
manual). You will also need to configure the rpm macros
%_gpg_name
The name of the "user" whose key you wish to use to sign your
packages.
For example, to be able to use GPG to sign packages as the user "John
Doe <jdoe@foo.com>" from the key rings located in /etc/rpm/.gpg using
the executable /usr/bin/gpg you would include
%_gpg_path /etc/rpm/.gpg
%_gpg_name John Doe <jdoe@foo.com>
%__gpg /usr/bin/gpg
in a macro configuration file. Use /etc/rpm/macros for per-system
configuration and ~/.rpmmacros for per-user configuration. Typically
it's sufficient to set just %_gpg_name.
popt(3),
rpm(8),
rpmdb(8),
rpmkeys(8),
rpm2cpio(8),
rpmbuild(8),
rpmspec(8),
rpmsign --help - as rpm supports customizing the options via popt
aliases it's impossible to guarantee that what's described in the
manual matches what's available.
http://www.rpm.org/ <URL:http://www.rpm.org/>
Marc Ewing <marc@redhat.com>
Jeff Johnson <jbj@redhat.com>
Erik Troan <ewt@redhat.com>
Panu Matilainen <pmatilai@redhat.com>
Fionnuala Gunter <fin@linux.vnet.ibm.com>
This page is part of the rpm (RPM Package Manager) project.
Information about the project can be found at
⟨https://github.com/rpm-software-management/rpm⟩. It is not known how
to report bugs for this man page; if you know, please send a mail to
man-pages@man7.org. This page was obtained from the project's
upstream Git repository
⟨https://github.com/rpm-software-management/rpm.git⟩ on 2020-08-13.
(At that time, the date of the most recent commit that was found in
the repository was 2020-08-12.) If you discover any rendering prob‐
lems in this HTML version of the page, or you believe there is a bet‐
ter or more up-to-date source for the page, or you have corrections
or improvements to the information in this COLOPHON (which is not
part of the original manual page), send a mail to man-pages@man7.org
Red Hat, Inc RPMSIGN(8)
Pages that refer to this page: rpm(8) , rpmbuild(8) , rpmdb(8) , rpmkeys(8) , rpm-plugin-ima(8) , rpmspec(8)