1RPMSIGN(8) System Manager's Manual RPMSIGN(8)
2
6 rpmsign - RPM Package Signing
7
9 SIGNING PACKAGES:
10 rpm --addsign|--resign [rpmsign-options] PACKAGE_FILE ...
11 rpm --delsign PACKAGE_FILE ...
13 rpmsign-options
16 [--rpmv3] [--fskpath KEY] [--signfiles]
17
20 Both of the --addsign and --resign options generate and insert new sig‐
21 natures for each package PACKAGE_FILE given, replacing any existing
22 signatures. There are two options for historical reasons, there is no
23 difference in behavior currently.
24 To create a signature rpm needs to verify the package's checksum. As a
26 result packages with a MD5/SHA1 checksums cannot be signed in FIPS
27 mode.
28 rpm --delsign PACKAGE_FILE ...
30 Delete all signatures from each package PACKAGE_FILE given.
33 SIGN OPTIONS
36 --rpmv3
37 Force RPM V3 header+payload signature addition. These are
38 expensive and redundant baggage on packages where a separate
39 payload digest exists (packages built with rpm >= 4.14). Rpm
40 will automatically detect the need for V3 signatures, but this
41 option can be used to force their creation if the packages must
42 be fully signature verifiable with rpm < 4.14 or other interop‐
43 erability reasons.
44 --fskpath KEY
46 Used with --signfiles, use file signing key Key.
47 --signfiles
49 Sign package files. The macro %_binary_filedigest_algorithm must
50 be set to a supported algorithm before building the package. The
51 supported algorithms are SHA1, SHA256, SHA384, and SHA512, which
52 are represented as 2, 8, 9, and 10 respectively. The file sign‐
53 ing key (RSA private key) must be set before signing the pack‐
54 age, it can be configured on the command line with --fskpath or
55 the macro %_file_signing_key.
56 USING GPG TO SIGN PACKAGES
59 In order to sign packages using GPG, rpm must be configured to run GPG
60 and be able to find a key ring with the appropriate keys. By default,
61 rpm uses the same conventions as GPG to find key rings, namely the
62 $GNUPGHOME environment variable. If your key rings are not located
63 where GPG expects them to be, you will need to configure the macro
64 %_gpg_path to be the location of the GPG key rings to use. If you want
65 to be able to sign packages you create yourself, you also need to cre‐
66 ate your own public and secret key pair (see the GPG manual). You will
67 also need to configure the rpm macros
68 %_gpg_name
70 The name of the "user" whose key you wish to use to sign your
71 packages.
72 For example, to be able to use GPG to sign packages as the user "John
74 Doe <jdoe@foo.com>" from the key rings located in /etc/rpm/.gpg using
75 the executable /usr/bin/gpg you would include
76 %_gpg_path /etc/rpm/.gpg
78 %_gpg_name John Doe <jdoe@foo.com>
79 %__gpg /usr/bin/gpg
80 in a macro configuration file. Use /etc/rpm/macros for per-system con‐
82 figuration and ~/.rpmmacros for per-user configuration. Typically it's
83 sufficient to set just %_gpg_name.
84
86 popt(3),
87 rpm(8),
88 rpmdb(8),
89 rpmkeys(8),
90 rpm2cpio(8),
91 rpmbuild(8),
92 rpmspec(8),
93 rpmsign --help - as rpm supports customizing the options via popt
95 aliases it's impossible to guarantee that what's described in the man‐
96 ual matches what's available.
97 http://www.rpm.org/ <URL:http://www.rpm.org/>
100
102 Marc Ewing <marc@redhat.com>
103 Jeff Johnson <jbj@redhat.com>
104 Erik Troan <ewt@redhat.com>
105 Panu Matilainen <pmatilai@redhat.com>
106 Fionnuala Gunter <fin@linux.vnet.ibm.com>
107 Red Hat, Inc RPMSIGN(8)