1RPMSIGN(8) RPMSIGN(8)
2
3
4
6 rpmsign - RPM Package Signing
7
9 SIGNING PACKAGES:
10 rpm --addsign|--resign [rpmsign-options] PACKAGE_FILE ...
11
12 rpm --delsign PACKAGE_FILE ...
13
14 rpm --delfilesign PACKAGE_FILE ...
15
16 rpmsign-options
17 [--rpmv3] [--fskpath KEY] [--signfiles]
18
20 Both of the --addsign and --resign options generate and insert new sig‐
21 natures for each package PACKAGE_FILE given, replacing any existing
22 signatures. There are two options for historical reasons, there is no
23 difference in behavior currently.
24
25 To create a signature rpm needs to verify the package's checksum. As a
26 result packages with a MD5/SHA1 checksums cannot be signed in FIPS
27 mode.
28
29 rpm --delsign PACKAGE_FILE ...
30
31 Delete all signatures from each package PACKAGE_FILE given.
32
33 rpm --delfilesign PACKAGE_FILE ...
34
35 Delete all IMA and fsverity file signatures from each package PACK‐
36 AGE_FILE given.
37
38 SIGN OPTIONS
39 --rpmv3
40 Force RPM V3 header+payload signature addition. These are ex‐
41 pensive and redundant baggage on packages where a separate pay‐
42 load digest exists (packages built with rpm >= 4.14). Rpm will
43 automatically detect the need for V3 signatures, but this option
44 can be used to force their creation if the packages must be ful‐
45 ly signature verifiable with rpm < 4.14 or other interoperabili‐
46 ty reasons.
47
48 --fskpath KEY
49 Used with --signfiles, use file signing key Key.
50
51 --certpath CERT
52 Used with --signverity, use file signing certificate Cert.
53
54 --verityalgo ALG
55 Used with --signverity, to specify the signing algorithm.
56 sha256 and sha512 are supported, with sha256 being the default
57 if this argument is not specified. This can also be specified
58 with the macro %_verity_algorithm
59
60 --signfiles
61 Sign package files. The macro %_binary_filedigest_algorithm
62 must be set to a supported algorithm before building the pack‐
63 age. The supported algorithms are SHA1, SHA256, SHA384, and
64 SHA512, which are represented as 2, 8, 9, and 10 respectively.
65 The file signing key (RSA private key) must be set before sign‐
66 ing the package, it can be configured on the command line with
67 --fskpath or the macro %_file_signing_key.
68
69 --signverity
70 Sign package files with fsverity signatures. The file signing
71 key (RSA private key) and the signing certificate must be set
72 before signing the package. The key can be configured on the
73 command line with --fskpath or the macro %_file_signing_key, and
74 the cert can be configured on the command line with --certpath
75 or the macro %_file_signing_cert.
76
77 USING GPG TO SIGN PACKAGES
78 In order to sign packages using GPG, rpm must be configured to run GPG
79 and be able to find a key ring with the appropriate keys. By default,
80 rpm uses the same conventions as GPG to find key rings, namely the
81 $GNUPGHOME environment variable. If your key rings are not located
82 where GPG expects them to be, you will need to configure the macro
83 %_gpg_path to be the location of the GPG key rings to use. If you want
84 to be able to sign packages you create yourself, you also need to cre‐
85 ate your own public and secret key pair (see the GPG manual). You will
86 also need to configure the rpm macros
87
88 %_gpg_name
89 The name of the "user" whose key you wish to use to sign your
90 packages.
91
92 For example, to be able to use GPG to sign packages as the user "John
93 Doe <jdoe@foo.com>" from the key rings located in /etc/rpm/.gpg using
94 the executable /usr/bin/gpg you would include
95
96 %_gpg_path /etc/rpm/.gpg
97 %_gpg_name John Doe <jdoe@foo.com>
98 %__gpg /usr/bin/gpg
99
100 in a macro configuration file. Use /etc/rpm/macros for per-system con‐
101 figuration and ~/.rpmmacros for per-user configuration. Typically it's
102 sufficient to set just %_gpg_name.
103
105 popt(3),
106 rpm(8),
107 rpmdb(8),
108 rpmkeys(8),
109 rpm2cpio(8),
110 rpmbuild(8),
111 rpmspec(8),
112
113 rpmsign --help - as rpm supports customizing the options via popt
114 aliases it's impossible to guarantee that what's described in the manu‐
115 al matches what's available.
116
117 http://www.rpm.org/ <URL:http://www.rpm.org/>
118
120 Marc Ewing <marc@redhat.com>
121 Jeff Johnson <jbj@redhat.com>
122 Erik Troan <ewt@redhat.com>
123 Panu Matilainen <pmatilai@redhat.com>
124 Fionnuala Gunter <fin@linux.vnet.ibm.com>
125 Jes Sorensen <jsorensen@fb.com>
126
127
128
129 Red Hat, Inc RPMSIGN(8)