Red Hat SummitChapitre 4. Advanced topics
This section covers topics that are beyond the scope of the introductory tutorial but are useful in real-world RPM packaging.
4.1. Signing RPM packages
You can sign RPM packages to ensure that no third party can alter their content. To add an additional layer of security, use the HTTPS protocol when downloading the package.
You can sign a package by using the --addsign option provided by the rpm-sign package.
Conditions préalables
- You have created a GNU Privacy Guard (GPG) key as described in Creating a GPG key.
4.1.1. Creating a GPG key
Use the following procedure to create a GNU Privacy Guard (GPG) key required for signing packages.
Procédure
Generate a GPG key pair:
gpg --gen-key
# gpg --gen-keyCopy to Clipboard Copied! Toggle word wrap Toggle overflow Check the generated key pair:
gpg --list-keys
# gpg --list-keysCopy to Clipboard Copied! Toggle word wrap Toggle overflow Exporter la clé publique :
gpg --export -a '<Key_name>' > RPM-GPG-KEY-pmanager
# gpg --export -a '<Key_name>' > RPM-GPG-KEY-pmanagerCopy to Clipboard Copied! Toggle word wrap Toggle overflow Replace <Key_name> with the real key name that you have selected.
Import the exported public key into an RPM database:
rpm --import RPM-GPG-KEY-pmanager
# rpm --import RPM-GPG-KEY-pmanagerCopy to Clipboard Copied! Toggle word wrap Toggle overflow
4.1.2. Configuring RPM to sign a package
To be able to sign an RPM package, you need to specify the %_gpg_name RPM macro.
The following procedure describes how to configure RPM for signing a package.
Procédure
Define the
%_gpg_namemacro in your$HOME/.rpmmacrosfile as follows:%_gpg_name Key ID
%_gpg_name Key IDCopy to Clipboard Copied! Toggle word wrap Toggle overflow Replace Key ID with the GNU Privacy Guard (GPG) key ID that you will use to sign a package. A valid GPG key ID value is either a full name or email address of the user who created the key.
4.1.3. Adding a signature to an RPM package
This section describes the most usual case when a package is built without a signature. The signature is added just before the release of the package.
To add a signature to an RPM package, use the --addsign option provided by the rpm-sign package.
Procédure
Add a signature to a package:
rpm --addsign package-name.rpm
$ rpm --addsign package-name.rpmCopy to Clipboard Copied! Toggle word wrap Toggle overflow Replace package-name with the name of an RPM package you want to sign.
NoteYou must enter the password to unlock the secret key for the signature.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}