-
Create RPM build directories.
mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
-
Create a test source file.
echo "RPM signing test file" > ~/rpmbuild/SOURCES/hello.txt
-
Create a minimal SPEC file.
cat <<EOF > ~/rpmbuild/SPECS/hello.spec
Name: hello
Version: 1.0
Release: 1
Summary: Test RPM for signing
License: GPL
BuildArch: noarch
%description
Test RPM created to validate GPG/HSM-based RPM signing.
%install
mkdir -p %{buildroot}/usr/share/hello
cp %{_sourcedir}/hello.txt %{buildroot}/usr/share/hello/
%files
/usr/share/hello/hello.txt
EOF
-
Create a file
/root/.rpmmacrosin the user's home directory and add the following content in it.
%_signature gpg
%_gpg_path /root/.gnupg
%_gpg_name test@utimaco.com
%_gpg /usr/local/bin/gpg
%_gpg_sign_cmd %{_gpg} gpg --force-v3-sigs --batch --verbose --no-armor -no-secmem-warning -u "%{_gpg_name}" -sbo %{_signature_filename} --digestalgo filename}
Content of rpmmacros file
Here:
-
/root/.gnupgis the base directory for gnupg. -
test@utimaco.com is the key name.
-
/usr/local/bin/gpgis the path for gpg. -
%{_gpg} gpg --force-v3-sigs --batch --verbose --no-armor --no-secmem-warning -u "%{_gpg_name}" -sbo %{_signature_filename} --digest-algo filename}is the gpg command that will be used for signing rpm.
-
Sign the file using the command below.
# rpm --addsign <rpm_file>
Provide the slot PIN when prompted.
RPM signing
-
If you want to sign it again, run the below command. Provide the slot PIN when prompted.
# rpm --resign <rpm_file>