Difference between revisions of "Sign your RPM"
(7 intermediate revisions by the same user not shown) | |||
Line 7: | Line 7: | ||
In this HOWTO, I'll cover how to generate your own gpg key pair and sign your custom RPM package with that key. | In this HOWTO, I'll cover how to generate your own gpg key pair and sign your custom RPM package with that key. | ||
+ | * Create the gnupg folder | ||
+ | [root@sme8rpm ]# cd ~ | ||
+ | [root@sme8rpm ]# mkdir .gnupg | ||
* Generate gpg key pair (public key and private key) | * Generate gpg key pair (public key and private key) | ||
− | [root@sme8rpm | + | [root@sme8rpm ]# gpg --gen-key |
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc. | gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc. | ||
This program comes with ABSOLUTELY NO WARRANTY. | This program comes with ABSOLUTELY NO WARRANTY. | ||
Line 74: | Line 77: | ||
* Now that you've generated gpg keys, you can see the list in your key ring by typing : | * Now that you've generated gpg keys, you can see the list in your key ring by typing : | ||
− | [root@sme8rpm | + | [root@sme8rpm]# gpg --list-keys |
− | /root/.gnupg/pubring.gpg | + | |
− | ------------------------------- | + | /root/.gnupg/pubring.gpg |
− | pub 1024D/23A254D4 2005-01-06 Foo <foo@foo.com> | + | ------------------------------- |
− | sub 1024g/D08816E2 2005-01-06 | + | pub 1024D/23A254D4 2005-01-06 Foo <foo@foo.com> |
+ | sub 1024g/D08816E2 2005-01-06 | ||
* To extract or export your public key from your key ring to a text file. | * To extract or export your public key from your key ring to a text file. | ||
− | [root@sme8rpm | + | [root@sme8rpm]# gpg --export -a 'Foo' > RPM-GPG-KEY |
− | This file is necessary to import it to your RPM DB and verify a package with gpg key later on. If you're planning to share your custom built RPM packages with others, make sure to have your public key file available online in public so they can verify your custom RPM package. see [[http://wiki.contribs.org/Stephdl Stephdl repository]] for an example on how declare the pgp signature to the repository. | + | This file is necessary to import it to your RPM DB and verify a package with gpg key later on. If you're planning to share your custom built RPM packages with others, make sure to have your public key file available online in public (in the web folder of your repository) so they can verify your custom RPM package. see [[http://wiki.contribs.org/Stephdl Stephdl repository]] for an example on how declare the pgp signature to the repository. |
* To import your public key to your RPM DB | * To import your public key to your RPM DB | ||
− | [root@sme8rpm | + | [root@sme8rpm]# rpm --import RPM-GPG-KEY |
Password: | Password: | ||
* Let's verify the list of gpg public keys in RPM DB: | * Let's verify the list of gpg public keys in RPM DB: | ||
− | [root@sme8rpm | + | [root@sme8rpm]# rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' |
* Final step before the signing, configure your ~/.rpmmacros file to include the following: | * Final step before the signing, configure your ~/.rpmmacros file to include the following: | ||
− | nano ~/.rpmmacros | + | root@sme8rpm]# nano ~/.rpmmacros |
%_signature gpg | %_signature gpg | ||
− | %_gpg_path / | + | %_gpg_path /home/youruser/.gnupg |
%_gpg_name Foo | %_gpg_name Foo | ||
%_gpgbin /usr/bin/gpg | %_gpgbin /usr/bin/gpg | ||
− | * Now, you're ready to sign your custom RPM package | + | * Now, you're ready to sign your custom RPM package (with el7 you must now install rpm-sign) |
− | rpmbuild -ba --sign smeserver-roundcube.spec | + | root@sme8rpm]# rpmbuild -ba --sign smeserver-roundcube.spec |
or | or | ||
− | rpm --addsign smeserver-roundcube-0.9-15. | + | root@sme8rpm]# rpm --addsign smeserver-roundcube-0.9-15.rpm |
+ | or | ||
+ | root@sme8rpm]# rpm --resign smeserver-roundcube-0.9-15.rpm | ||
to verify if all is ok | to verify if all is ok | ||
− | rpm --checksig | + | root@sme8rpm]# rpm --checksig smeserver-roundcube-0.9-15.rpm |
smeserver-roundcube-0.9-15.src.rpm: (sha1) dsa sha1 md5 gpg OK | smeserver-roundcube-0.9-15.src.rpm: (sha1) dsa sha1 md5 gpg OK | ||
− | + | ||
[[Category:SME Server Development Framework]] | [[Category:SME Server Development Framework]] | ||
[[Category:Development Tools]] | [[Category:Development Tools]] | ||
[[Category:SME9-Development]] | [[Category:SME9-Development]] |
Latest revision as of 10:56, 20 February 2016
GnuPG stands for GNU Privacy Guard and is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 2440. As such, it is aimed to be compatible with PGP from NAI, Inc.
After building your custom RPM package, it's a good idea to sign the package with your own GPG Key to make sure the package is authentic.
In this HOWTO, I'll cover how to generate your own gpg key pair and sign your custom RPM package with that key.
- Create the gnupg folder
[root@sme8rpm ]# cd ~ [root@sme8rpm ]# mkdir .gnupg
- Generate gpg key pair (public key and private key)
[root@sme8rpm ]# gpg --gen-key gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: keyring `/root/.gnupg/secring.gpg' created gpg: keyring `/root/.gnupg/pubring.gpg' created Please select what kind of key you want: (1) DSA and ElGamal (default) (2) DSA (sign only) (4) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. About to generate a new ELG-E keypair. minimum keysize is 768 bits default keysize is 1024 bits highest suggested keysize is 2048 bits What keysize do you want? (1024) 1024 Requested keysize is 1024 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct (y/n)? y You need a User-ID to identify your key; the software constructs the user id from Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Foo Email address: foo@foo.com Comment: You selected this USER-ID: "Foo <foo@foo.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++++++++++.++++++++++++++++++++++++++++++++++++++++++++++++++..+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ++++++++++++++++..++++++++++++++++++++.+++++++++++++++>+++++...+++++^^^ gpg: /root/.gnupg/trustdb.gpg: trustdb created public and secret key created and signed. key marked as ultimately trusted. pub 1024D/23A254D4 2005-01-06 Foo <foo@foo.com> Key fingerprint = 9D71 B237 3AE2 B54A B62D 5DC7 2758 9842 23A2 54D4 sub 1024g/D08816E2 2005-01-06
- Now that you've generated gpg keys, you can see the list in your key ring by typing :
[root@sme8rpm]# gpg --list-keys
/root/.gnupg/pubring.gpg ------------------------------- pub 1024D/23A254D4 2005-01-06 Foo <foo@foo.com> sub 1024g/D08816E2 2005-01-06
- To extract or export your public key from your key ring to a text file.
[root@sme8rpm]# gpg --export -a 'Foo' > RPM-GPG-KEY
This file is necessary to import it to your RPM DB and verify a package with gpg key later on. If you're planning to share your custom built RPM packages with others, make sure to have your public key file available online in public (in the web folder of your repository) so they can verify your custom RPM package. see [Stephdl repository] for an example on how declare the pgp signature to the repository.
- To import your public key to your RPM DB
[root@sme8rpm]# rpm --import RPM-GPG-KEY Password:
- Let's verify the list of gpg public keys in RPM DB:
[root@sme8rpm]# rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
- Final step before the signing, configure your ~/.rpmmacros file to include the following:
root@sme8rpm]# nano ~/.rpmmacros
%_signature gpg %_gpg_path /home/youruser/.gnupg %_gpg_name Foo %_gpgbin /usr/bin/gpg
- Now, you're ready to sign your custom RPM package (with el7 you must now install rpm-sign)
root@sme8rpm]# rpmbuild -ba --sign smeserver-roundcube.spec
or
root@sme8rpm]# rpm --addsign smeserver-roundcube-0.9-15.rpm
or
root@sme8rpm]# rpm --resign smeserver-roundcube-0.9-15.rpm
to verify if all is ok
root@sme8rpm]# rpm --checksig smeserver-roundcube-0.9-15.rpm smeserver-roundcube-0.9-15.src.rpm: (sha1) dsa sha1 md5 gpg OK