Red Hat Summit6.8. Signing RPM packages
You can sign RPM packages to ensure no third party can alter their content by using either of the following software:
- Sequoia PGP supports the OpenPGP standard. RPM also uses Sequoia PGP to verify software signatures.
- GNU Privacy Guard (GnuPG) supports older OpenPGP standard versions, which makes GnuPG more compatible with RHEL 9 and earlier versions.
Starting from version 10.1, RHEL supports OpenPGPv6 and RPMv6 signatures. These signatures are not compatible with earlier versions of RHEL. RPM on these versions ignore such signatures. If a package contains the RPMv4 signature, RPM uses it instead.
However, in RHEL 9.7 and later RHEL 9 versions, you can enable support for OpenPGPv6 and RPMv6 signatures by using the multisig DNF plugin.
6.8.1. Signing RPM packages with GnuPG
You can sign RPM packages by using the GNU Privacy Guard (GnuPG) software.
6.8.1.1. Creating an OpenPGP key for signing packages with GnuPG
To sign an RPM package by using the GNU Privacy Guard (GnuPG) software, you must create an OpenPGP key first.
Prerequisites
-
You have the
rpm-signandpinentrypackages installed on your system.
Procedure
Generate an OpenPGP key pair:
$ gpg --gen-keyCheck the generated key pair:
$ gpg --list-keysExport the public key:
$ gpg --export -a '<public_key_name>' > RPM-GPG-KEY-pmanager
6.8.1.2. Configuring RPM to sign a package with GnuPG
To sign an RPM package by using the GNU Privacy Guard (GnuPG) software, you must configure RPM by specifying the %_gpg_name RPM macro.
Prerequisites
- You created an OpenPGP key for GnuPG, For more information, see Creating an OpenPGP key for signing packages with GnuPG.
Procedure
Define the
%_gpg_namemacro in your$HOME/.rpmmacrosdirectory:%_gpg_name <key_ID>A valid key ID value for GnuPG can be a key fingerprint, full name, or email address you provided when creating the key.
6.8.1.3. Adding a signature to an RPM package
Packages are commonly built without signatures. You can add your signature before the package is released.
Prerequisites
- You created an OpenPGP key for GnuPG. For more information, see Creating an OpenPGP key for signing packages with GnuPG.
- You configured RPM for signing packages. For more information, see Configuring RPM to sign a package with GnuPG.
-
You have the
rpm-signpackage installed on your system.
Procedure
Add a signature to a package:
$ rpmsign --addsign <package-name>.rpm
Verification
Import the exported OpenPGP public key into the RPM keyring:
# rpmkeys --import RPM-GPG-KEY-pmanagerDisplay the key ID with GnuPG:
$ gpg --list-keys [...] pub rsa3072 2025-05-13 [SC] [expires: 2028-05-12] A8AF1C39AC67A1501450734F6DE8FC866DE0394D [...]The key ID is the 40-character string in the command output, for example,
A8AF1C39AC67A1501450734F6DE8FC866DE0394D.Verify that the RPM file has the corresponding signature:
$ rpm -Kv <package_name>.rpm <package_name>.rpm: Header V4 RSA/SHA256 Signature, key ID 6de0394d: OK Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK MD5 digest: OKThe signature key ID matches the last part of the OpenPGP key ID.
6.8.2. Signing RPM packages with Sequoia PGP
You can use Sequoia PGP to sign RPM packages and ensure no third party can alter their content.
6.8.2.1. Creating an OpenPGP key for signing packages with Sequoia PGP
To sign packages by using the Sequoia PGP software, you must create an OpenPGP key first.
Procedure
Install the Sequoia PGP tools:
# dnf install sequoia-sqGenerate an OpenPGP key pair:
$ sq key generate --own-key --userid <key_name>Check the generated key pair:
$ sq key listExport the public key:
$ sq cert export --cert-userid '<key_name>' > RPM-PGP-KEY-pmanager
6.8.2.2. Configuring RPM to sign a package with Sequoia PGP
To sign an RPM package with the Sequoia PGP software, you must configure the RPM to use Sequoia PGP and specify the %_gpg_name macro.
Prerequisites
-
You have the
rpm-signpackage installed on your system.
Procedure
Copy the
macros.rpmsign-sequoiafile to the/etc/rpmdirectory:# cp /usr/share/doc/rpm/macros.rpmsign-sequoia /etc/rpm/Get a valid OpenPGP key fingerprint value from the output of key listing:
$ sq cert list --cert-userid '<key_name>' - 7E4B52101EB3DB08967A1E5EB595D12FDA65BA50 - created 2025-05-13 10:33:29 UTC - will expire 2028-05-13T03:59:50Z - [ ✓ ] <key_name>The key fingerprint is a 40-character string on the first line of the output, for example,
7E4B52101EB3DB08967A1E5EB595D12FDA65BA50.Define the
%_gpg_namemacro in your$HOME/.rpmmacrosfile as follows:%_gpg_name <key_fingerprint>Note that you can also use the full key ID instead of the fingerprint.
참고Unlike GnuPG, Sequoia PGP accepts only the full key ID or fingerprint.
6.8.2.3. Adding a signature to an RPM package
Packages are commonly built without signatures. You can add your signature before the package is released.
Prerequisites
- You created an OpenPGP key. For more information, see Creating an OpenPGP key for signing packages with Sequoia PGP.
- You configured RPM for signing packages. For more information, see Configuring RPM to sign a package with Sequoia PGP.
-
You have the
rpm-signpackage installed on your system.
Procedure
Add a signature to a package:
$ rpmsign --addsign <package-name>.rpm
Verification
Import the exported OpenPGP public key into the RPM keyring:
# rpmkeys --import RPM-PGP-KEY-pmanagerDisplay the key fingerprint of the signing key:
$ sq key list --cert-userid <key_name> - 7E4B52101EB3DB08967A1E5EB595D12FDA65BA50 - user ID: <key_name> (authenticated) - created 2025-05-13 10:33:29 UTC - will expire 2028-05-13T03:59:50Z - usable for signing - @softkeys/7E4B52101EB3DB08967A1E5EB595D12FDA65BA50: available, unlocked - 78E56DD2E12E02CFEEA27F8B9FE57972D6BCEA6F - created 2025-05-13 10:33:29 UTC - will expire 2028-05-13T03:59:50Z - usable for decryption - @softkeys/7E4B52101EB3DB08967A1E5EB595D12FDA65BA50: available, unlocked - C06E45F8ABC3E59F44A9E811578DDDB66422E345 - created 2025-05-13 10:33:29 UTC - will expire 2028-05-13T03:59:50Z - usable for signing - @softkeys/7E4B52101EB3DB08967A1E5EB595D12FDA65BA50: available, unlocked - E0BD231AB350AD6802D44C0A270E79FFC39C3B25 - created 2025-05-13 10:33:29 UTC - will expire 2028-05-13T03:59:50Z - usable for signing - @softkeys/7E4B52101EB3DB08967A1E5EB595D12FDA65BA50: available, unlockedThe key fingerprint is usually a signing subkey in the
sq key list --cert-userid <key_name>command output, for example,E0BD231AB350AD6802D44C0A270E79FFC39C3B25.Verify that the RPM file has the corresponding signature, for example:
$ rpm -Kv <package_name>.rpm <package_name>.rpm: Header V4 EdDSA/SHA512 Signature, key ID c39c3b25: OK Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK MD5 digest: OKThe signature key ID matches the last part of the key fingerprint.
6.8.3. Signing RPM packages with Sequoia PGP by using PQC
Post-quantum cryptography (PQC) is a set of algorithms designed to withstand attacks from quantum computers, thereby enhancing software security. To sign a package with PQC algorithms, you can use Sequoia PGP software.
The RPM package manager uses the OpenPGP standard to sign packages. OpenPGPv6 introduces support for hybrid keys and signatures. They combine the current cryptographic algorithm with the PQC algorithm, preventing a single point of failure and increasing trust in the resulting signature.
Starting from version 10.1, RHEL supports RPMv6 signatures. With this format, you can add multiple OpenPGP signatures to a package, increasing the redundancy on the RPM level.
You can combine both RPMv4 and RPMv6 signatures to sign the package. With this feature, you can use different RPM versions to verify the same signature. Starting from RHEL 10.1, RPM verifies only the RPMv6 signatures, if such exist, and ignores the RPMv4 ones. If no RPMv6 signatures are present in the package, RPM uses the RPMv4 signatures. In earlier RHEL versions, RPM verifies RPMv4 signatures and ignores RPMv6 ones.
6.8.3.1. Creating a PQC key
To sign packages by using post-quantum cryptography (PQC) algorithms, you must create a hybrid key pair with Sequoia PGP first.
Note that you can specify different PQC algorithms. For example, the following procedure uses the ML-DSA-87-Ed448 algorithm.
Procedure
Install the Sequoia PGP tools:
# dnf install sequoia-sqGenerate an OpenPGP key pair:
$ sq key generate --own-key --expiration=never \ --cannot-authenticate --cannot-encrypt \ --email <vendor_email> --name "<vendor_name>" \ --cipher-suite mldsa87 --profile rfc9580Replace <vendor_email> and <vendor_name> with the email and the name of the software vendor that provides the RPM package.
This command generates a primary key and a signing subkey.
Check the generated key pair:
$ sq key list --cert-email <vendor_email>- <ml_dsa_fingerprint> - user IDs: - <vendor_email> (authenticated) - <vendor_name> (authenticated) - created 2025-10-03 14:36:44 UTC - usable for signing - @softkeys/<ml_dsa_fingerprint>: available, unlocked - <subkey_fingerprint> - created 2025-10-03 14:36:44 UTC - usable for signing - @softkeys/<subkey_fingerprint>: available, unlockedExport the PQC OpenPGP certificate:
$ sq cert export --cert-email '<vendor_email>' > RPM-PGP-KEY-VENDOR
Next steps
6.8.3.2. Configuring RPM for PQC
After you generate a PQC key you want to use to sign a package, you must configure RPM to use this key.
Configure RPM outside of the build system on a separate signing server. RPM requires macros to support signing packages with Sequoia PGP. These macros are available in a template file.
Prerequisites
- You created a PQC key pair. For more information, see Creating a PQC key.
-
You have the
rpm-signpackage installed on your system.
Procedure
Copy the
macros.rpmsign-sequoiafile to the/etc/rpmdirectory:# cp /usr/share/doc/rpm/macros.rpmsign-sequoia /etc/rpm/Check the generated key pair:
$ sq key list --cert-email <vendor_email>- <ml_dsa_fingerprint> - user IDs: - <vendor_email> (authenticated) - <vendor_name> (authenticated) - created 2025-10-03 14:36:44 UTC - usable for signing - @softkeys/<ml_dsa_fingerprint>: available, unlocked - <subkey_fingerprint> - created 2025-10-03 14:36:44 UTC - usable for signing - @softkeys/<subkey_fingerprint>: available, unlockedExport the key fingerprint to the
~/.rpmmacrosfile:$ echo "%_gpg_name <ml_dsa_fingerprint>" > ~/.rpmmacros
Next steps
6.8.3.3. Adding multiple signatures to an RPM
Starting from version 10.1, RHEL supports RPMv6 signatures. With this format, you can add multiple signatures to an RPM package. This results in enhanced security if either of the keys gets compromised or either of the cryptographic algorithms is rendered insecure.
You can run the rpmsign --addsign --rpmv6 command multiple times to sign the RPM with multiple different keys. Note that the first RPMv6 signature, usually generated with an OpenPGPv4 RSA key and compatible with the RPMv4, is also stored as an RPMv4 signature. This allows older RPM versions to trust the package signature.
Always consider adding an RPMv4-compatible signature to the package before adding any RPMv6 signatures that use PQC algorithms. This ensures that the package has a signature that RPM on RHEL versions earlier than RHEL 10.1 can verify.
Prerequisites
- You generated a PQC key pair. For more information, see Creating a PQC key.
- You configured RPM to use the PQC key. For more information, see Configuring RPM for PQC.
Procedure
Add a signature to a package:
$ rpmsign --addsign --rpmv6 <package_name>.rpm- To sign the package with multiple RPMv6 signatures, repeat the first step.
Verification
Import the exported PQC OpenPGP certificate into the RPM keyring:
# rpmkeys --import RPM-PGP-KEY-VENDORVerify that the RPM file has the corresponding signatures, for example:
$ rpmkeys -Kv <package_name>.rpm<package_name>.rpm: Header OpenPGP V6 ML-DSA-87+Ed448/SHA512 signature, key fingerprint: <ml_dsa_fingerprint>: OK Header OpenPGP V4 RSA/SHA512 signature, key fingerprint: <rsa_fingerprint>: OK Header SHA256 digest: OK Payload SHA256 digest: OK
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}