https://gist.github.com/fernandoaleman/1376720
How to sign your custom RPM package with GPG key
1 #rpm-digital-signature.sh 2 3 # How to sign your custom RPM package with GPG key 4 5 # Step: 1 6 # Generate gpg key pair (public key and private key) 7 # 8 # You will be prompted with a series of questions about encryption. 9 # Simply select the default values presented. You will also be asked 10 # to create a Real Name, Email Address and Comment (comment optional). 11 # 12 # If you get the following response: 13 # ----------------------------------------------------------------------- 14 # We need to generate a lot of random bytes. It is a good idea to perform 15 # some other action (type on the keyboard, move the mouse, utilize the 16 # disks) during the prime generation; this gives the random number 17 # generator a better chance to gain enough entropy. 18 # ----------------------------------------------------------------------- 19 # Open up a separate terminal, ssh into your server and run this command: 20 # ls -R / 21 22 gpg --gen-key 23 24 # Step: 2 25 # Verify your gpg keys were created 26 27 gpg --list-keys 28 29 # Step: 3 30 # Export your public key from your key ring to a text file. 31 # 32 # You will use the information for Real Name and Email you used to 33 # create your key. I used Fernando Aleman and faleman@email.com 34 35 gpg --export -a 'Fernando Aleman' > RPM-GPG-KEY-faleman 36 37 # Step: 4 38 # Import your public key to your RPM DB 39 # 40 # If you plan to share your custom built RPM packages with others, make sure 41 # to have your public key file available online so others can verify RPMs 42 43 sudo rpm --import RPM-GPG-KEY-faleman 44 45 # Step: 5 46 # Verify the list of gpg public keys in RPM DB 47 48 rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary} ' 49 50 # Step: 6 51 # Configure your ~/.rpmmacros file 52 # 53 # You can use the following command to edit if you are on the server: 54 # vi ~/.rpmmacros 55 # 56 # %_signature => This will always be gpg 57 # %_gpg_path => Enter full path to .gnupg in your home directory 58 # %_gpg_name => Use the Real Name you used to create your key 59 # %_gpbin => run `which gpg` (without ` marks) to get full path 60 61 %_signature gpg 62 %_gpg_path /root/.gnupg 63 %_gpg_name Fernando Aleman 64 %_gpgbin /usr/bin/gpg 65 66 # Step: 7 67 # Sign your custom RPM package 68 # 69 # You can sign each RPM file individually: 70 71 rpm --addsign git-1.7.7.3-1.el6.x86_64.rpm 72 73 # Or you can `cd` into your RPMS folder and sign them all: 74 75 rpm --addsign *.rpm 76 77 # Step: 8 78 # Check the signature to make sure it was signed 79 # 80 # Watch for 'gpg OK' as in this example: 81 # git-1.7.7.3-1.el6.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK 82 83 rpm --checksig git-1.7.7.3-1.el6.x86_64.rpm 84 85 # Tip! 86 # Sign package during build 87 # 88 # To sign a package while it's being built, simply add '--sign' 89 90 rpmbuild -ba --sign git.spec