signing an RPM with a GPG key

Why do this?

Primarily, it is to make people you don't know feel better about using your RPMS. In particular it has virtue if you obtain your rpms from a mirror site where some evil person might be claiming to mirror rpms from say Red Hat, but were installing their own trojan horse in one or more rpms. As long as you obtained the public key from some reliable source, there would be no way to be fooled by this. If you maintain your own RPM repository only for local use, there is really no reason to sign your own rpms. If other people begin to use your packages and your packages begin to be hosted on sites other than your own, then it would be a good thing.

Fedora Packages

As of Fedora 15, a new package "rpm-sign" was created which contained the rpm sign-o-matic tool. This caused me no end of confusion, because I was unaware of this and rpm --addsign and rpmbuild --sign just gave confusing messages. All of these is discussed under Fedora Bugzilla bug 697435 entitled rpm --addsign prints confusing error message when /usr/bin/rpmsign is unavailable.

In the new scheme of things, you need to yum install the rpm and rpm-build packages, but now also: 

yum install rpm-sign
Hopefully they will do something about the error messages, meanwhile folks just keep falling into open manholes.

GPG basics

To go any further, you will need to learn some basic things about how to use PGP. In particular you will want to generate your own public/private key pair and export your public key into an ascii file.

Signing an RPM

The sensible and easy thing is to sign an rpm at the same time that you built it by adding the --sign switch to the rpmbuild command, like so: 
rpmbuild -ba --sign yada.spec
rpmbuild --rebuild --sign yada.spec
This has become broken as of Fedora 15 and I have been signing the packages I build by hand. Part of the rub was that the rpm-build package was partitioned into two packages (rpm-build and rpm-sign) and I needed to install the rpm-sign package, but there seems to be further trouble.

You can sign the package after building it in the good old fashioned way: 

rpm --addsign yada.rpm
Be sure to be ready with your GPG passphrase, whatever way you do it.

It is also possible to replace your signature on a package (which would be required if you changed your public key) via: 

rpm --resign yada.rpm
You can also add more than one signature to a package using the --resign switch, though this seems to be rarely if ever done.

You can check if a package is signed (and that everything is as it should be) using the --checksig switch (or equivalently the -K switch) like so: 

rpm --checksig yada.rpm

An rpm that is not signed will look like this: 

yada.rpm: sha1 md5 OK

An rpm that is signed will look like this: 

yada.rpm: (sha1) dsa sha1 md5 gpg OK

RPM and gpg keys

You can load someones public key into your RPM database via: 

su
rpm --import RPM-GPG-KEY-billy

To look at all the keys in the RPM database, do this: 

rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
This will yield output like: 
rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} -- %{summary}\n'
gpg-pubkey-d22e77f2-49ee1409 -- gpg(Fedora (11) )
gpg-pubkey-ea46a458-42b36bab -- gpg(T. E. Pickering )
gpg-pubkey-74e5f972-4a79f709 -- gpg(Tom Trebisky )
gpg-pubkey-8fcff4da-49c51006 -- gpg(RPM Fusion free repository for Fedora (11) )
gpg-pubkey-8dc43844-49c510d6 -- gpg(RPM Fusion nonfree repository for Fedora (11) )

To erase one of the keys located via the above, do this: 

rpm -e gpg-pubkey-74e5f972-4a79f709

How to skip the whole thing

To install a package that is signed if you don't have the key, use: 

yum install --nogpgcheck package
This is just what you need to do, if for example you have a package set up which contains the keys for all other packages.

Alternately, you could specify that signatures not be checked for an entire repository by modifying the file in /etc/yum.repos.d and setting gpgcheck=0.

Have any comments? Questions? Drop me a line!

Adventures in Computing / tom@mmto.org