1RPMSIGN(8)                  System Manager's Manual                 RPMSIGN(8)
2
3
4

NAME

6       rpmsign - RPM Package Signing
7

SYNOPSIS

9   SIGNING PACKAGES:
10       rpm --addsign|--resign [rpmsign-options] PACKAGE_FILE ...
11
12       rpm --delsign PACKAGE_FILE ...
13
14
15   rpmsign-options
16       [--rpmv3] [--fskpath KEY] [--signfiles]
17
18

DESCRIPTION

20       Both of the --addsign and --resign options generate and insert new sig‐
21       natures for each package PACKAGE_FILE  given,  replacing  any  existing
22       signatures.  There  are two options for historical reasons, there is no
23       difference in behavior currently.
24
25       To create a signature rpm needs to verify the package's checksum. As  a
26       result  packages  with  a  MD5/SHA1  checksums cannot be signed in FIPS
27       mode.
28
29       rpm --delsign PACKAGE_FILE ...
30
31
32       Delete all signatures from each package PACKAGE_FILE given.
33
34
35   SIGN OPTIONS
36       --rpmv3
37              Force RPM  V3  header+payload  signature  addition.   These  are
38              expensive  and  redundant  baggage  on packages where a separate
39              payload digest exists (packages built with rpm  >=  4.14).   Rpm
40              will  automatically  detect the need for V3 signatures, but this
41              option can be used to force their creation if the packages  must
42              be  fully signature verifiable with rpm < 4.14 or other interop‐
43              erability reasons.
44
45       --fskpath KEY
46              Used with --signfiles, use file signing key Key.
47
48       --signfiles
49              Sign package files. The macro %_binary_filedigest_algorithm must
50              be set to a supported algorithm before building the package. The
51              supported algorithms are SHA1, SHA256, SHA384, and SHA512, which
52              are represented as 2, 8, 9, and 10 respectively.  The file sign‐
53              ing key (RSA private key) must be set before signing  the  pack‐
54              age,  it can be configured on the command line with --fskpath or
55              the macro %_file_signing_key.
56
57
58   USING GPG TO SIGN PACKAGES
59       In order to sign packages using GPG, rpm must be configured to run  GPG
60       and  be  able to find a key ring with the appropriate keys. By default,
61       rpm uses the same conventions as GPG to  find  key  rings,  namely  the
62       $GNUPGHOME  environment  variable.   If  your key rings are not located
63       where GPG expects them to be, you will  need  to  configure  the  macro
64       %_gpg_path to be the location of the GPG key rings to use.  If you want
65       to be able to sign packages you create yourself, you also need to  cre‐
66       ate  your own public and secret key pair (see the GPG manual). You will
67       also need to configure the rpm macros
68
69       %_gpg_name
70              The name of the "user" whose key you wish to use  to  sign  your
71              packages.
72
73       For  example,  to be able to use GPG to sign packages as the user "John
74       Doe <jdoe@foo.com>" from the key rings located in  /etc/rpm/.gpg  using
75       the executable /usr/bin/gpg you would include
76
77       %_gpg_path /etc/rpm/.gpg
78       %_gpg_name John Doe <jdoe@foo.com>
79       %__gpg /usr/bin/gpg
80
81       in  a macro configuration file. Use /etc/rpm/macros for per-system con‐
82       figuration and ~/.rpmmacros for per-user configuration. Typically  it's
83       sufficient to set just %_gpg_name.
84

SEE ALSO

86       popt(3),
87       rpm(8),
88       rpmdb(8),
89       rpmkeys(8),
90       rpm2cpio(8),
91       rpmbuild(8),
92       rpmspec(8),
93
94       rpmsign  --help  -  as  rpm  supports  customizing the options via popt
95       aliases it's impossible to guarantee that what's described in the  man‐
96       ual matches what's available.
97
98
99       http://www.rpm.org/ <URL:http://www.rpm.org/>
100

AUTHORS

102       Marc Ewing <marc@redhat.com>
103       Jeff Johnson <jbj@redhat.com>
104       Erik Troan <ewt@redhat.com>
105       Panu Matilainen <pmatilai@redhat.com>
106       Fionnuala Gunter <fin@linux.vnet.ibm.com>
107
108
109
110                                 Red Hat, Inc                       RPMSIGN(8)
Impressum