1RPMSIGN(8)                                                          RPMSIGN(8)
2
3
4

NAME

6       rpmsign - RPM Package Signing
7

SYNOPSIS

9   SIGNING PACKAGES:
10       rpm --addsign|--resign [rpmsign-options] PACKAGE_FILE ...
11
12       rpm --delsign PACKAGE_FILE ...
13
14       rpm --delfilesign PACKAGE_FILE ...
15
16   rpmsign-options
17       [--rpmv3] [--fskpath KEY] [--signfiles]
18

DESCRIPTION

20       Both of the --addsign and --resign options generate and insert new sig‐
21       natures for each package PACKAGE_FILE  given,  replacing  any  existing
22       signatures.   There are two options for historical reasons, there is no
23       difference in behavior currently.
24
25       To create a signature rpm needs to verify the package's checksum.  As a
26       result  packages  with  a  MD5/SHA1  checksums cannot be signed in FIPS
27       mode.
28
29       rpm --delsign PACKAGE_FILE ...
30
31       Delete all signatures from each package PACKAGE_FILE given.
32
33       rpm --delfilesign PACKAGE_FILE ...
34
35       Delete all IMA and fsverity file signatures  from  each  package  PACK‐
36       AGE_FILE given.
37
38   SIGN OPTIONS
39       --rpmv3
40              Force  RPM  V3 header+payload signature addition.  These are ex‐
41              pensive and redundant baggage on packages where a separate  pay‐
42              load  digest exists (packages built with rpm >= 4.14).  Rpm will
43              automatically detect the need for V3 signatures, but this option
44              can be used to force their creation if the packages must be ful‐
45              ly signature verifiable with rpm < 4.14 or other interoperabili‐
46              ty reasons.
47
48       --fskpath KEY
49              Used with --signfiles, use file signing key Key.
50
51       --certpath CERT
52              Used with --signverity, use file signing certificate Cert.
53
54       --verityalgo ALG
55              Used  with  --signverity,  to  specify  the  signing  algorithm.
56              sha256 and sha512 are supported, with sha256 being  the  default
57              if  this  argument is not specified.  This can also be specified
58              with the macro %_verity_algorithm
59
60       --signfiles
61              Sign package  files.   The  macro  %_binary_filedigest_algorithm
62              must  be  set to a supported algorithm before building the pack‐
63              age.  The supported algorithms are  SHA1,  SHA256,  SHA384,  and
64              SHA512,  which  are represented as 2, 8, 9, and 10 respectively.
65              The file signing key (RSA private key) must be set before  sign‐
66              ing  the  package, it can be configured on the command line with
67              --fskpath or the macro %_file_signing_key.
68
69       --signverity
70              Sign package files with fsverity signatures.  The  file  signing
71              key  (RSA  private  key) and the signing certificate must be set
72              before signing the package.  The key can be  configured  on  the
73              command line with --fskpath or the macro %_file_signing_key, and
74              the cert can be configured on the command line  with  --certpath
75              or the macro %_file_signing_cert.
76
77   USING GPG TO SIGN PACKAGES
78       In  order to sign packages using GPG, rpm must be configured to run GPG
79       and be able to find a key ring with the appropriate keys.  By  default,
80       rpm  uses  the  same  conventions  as GPG to find key rings, namely the
81       $GNUPGHOME environment variable.  If your key  rings  are  not  located
82       where  GPG  expects  them  to  be, you will need to configure the macro
83       %_gpg_path to be the location of the GPG key rings to use.  If you want
84       to  be able to sign packages you create yourself, you also need to cre‐
85       ate your own public and secret key pair (see the GPG manual).  You will
86       also need to configure the rpm macros
87
88       %_gpg_name
89              The  name  of  the "user" whose key you wish to use to sign your
90              packages.
91
92       For example, to be able to use GPG to sign packages as the  user  "John
93       Doe  <jdoe@foo.com>"  from the key rings located in /etc/rpm/.gpg using
94       the executable /usr/bin/gpg you would include
95
96              %_gpg_path /etc/rpm/.gpg
97              %_gpg_name John Doe <jdoe@foo.com>
98              %__gpg /usr/bin/gpg
99
100       in a macro configuration file.  Use /etc/rpm/macros for per-system con‐
101       figuration and ~/.rpmmacros for per-user configuration.  Typically it's
102       sufficient to set just %_gpg_name.
103

SEE ALSO

105       popt(3), rpm(8), rpmdb(8), rpmkeys(8), rpm2cpio(8),  rpmbuild(8),  rpm‐
106       spec(8)
107
108       rpmsign  --help  -  as  rpm  supports  customizing the options via popt
109       aliases it's impossible to guarantee that what's described in the manu‐
110       al matches what's available.
111
112       http://www.rpm.org/ <URL:http://www.rpm.org/>
113

AUTHORS

115              Marc Ewing <marc@redhat.com>
116              Jeff Johnson <jbj@redhat.com>
117              Erik Troan <ewt@redhat.com>
118              Panu Matilainen <pmatilai@redhat.com>
119              Fionnuala Gunter <fin@linux.vnet.ibm.com>
120              Jes Sorensen <jsorensen@fb.com>
121
122
123
124                                 Red Hat, Inc                       RPMSIGN(8)
Impressum