1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
.TH "RPMSIGN" "8" "Red Hat, Inc"
.SH NAME
rpmsign \- RPM Package Signing
.SH SYNOPSIS
.SS "SIGNING PACKAGES:"
.PP
\fBrpm\fR \fB--addsign|--resign\fR [\fBrpmsign-options\fR] \fB\fIPACKAGE_FILE\fB\fR\fI ...\fR
\fBrpm\fR \fB--delsign\fR \fB\fIPACKAGE_FILE\fB\fR\fI ...\fR
.SS "rpmsign-options"
.PP
[\fb--fskpath \fIKEY\fb\fR] [\fB--signfiles\fR]
.SH DESCRIPTION
.PP
Both of the \fB--addsign\fR and \fB--resign\fR
options generate and insert new signatures for each package
\fIPACKAGE_FILE\fR given, replacing any
existing signatures. There are two options for historical reasons,
there is no difference in behavior currently.
To create a signature rpm needs to verify the package's checksum. As a result
packages with a MD5/SHA1 checksums cannot be signed in FIPS mode.
\fBrpm\fR \fB--delsign\fR \fB\fIPACKAGE_FILE\fB\fR\fI ...\fR
.PP
Delete all signatures from each package \fIPACKAGE_FILE\fR given.
.SS "SIGN OPTIONS"
.PP
.TP
\fB--fskpath \fIKEY\fB\fR
Used with \fB--signfiles\fR, use file signing key \fIKey\fR.
.TP
\fB--signfiles\fR
Sign package files. The macro \fB%_binary_filedigest_algorithm\fR must
be set to a supported algorithm before building the package. The
supported algorithms are SHA1, SHA256, SHA384, and SHA512, which are
represented as 2, 8, 9, and 10 respectively. The file signing key (RSA
private key) must be set before signing the package, it can be configured on the command line with \fB--fskpath\fR or the macro %_file_signing_key.
.SS "USING GPG TO SIGN PACKAGES"
.PP
In order to sign packages using GPG, \fBrpm\fR
must be configured to run GPG and be able to find a key
ring with the appropriate keys. By default,
\fBrpm\fR uses the same conventions as GPG
to find key rings, namely the \fB$GNUPGHOME\fR environment
variable. If your key rings are not located where GPG expects
them to be, you will need to configure the macro
\fB%_gpg_path\fR
to be the location of the GPG key rings to use.
If you want to be able to sign packages you create yourself, you
also need to create your own public and secret key pair (see the
GPG manual). You will also need to configure the \fBrpm\fR macros
.TP
\fB%_gpg_name\fR
The name of the "user" whose key you wish to use to sign your packages.
.PP
For example, to be able to use GPG to sign packages as the user
\fI"John Doe <jdoe@foo.com>"\fR
from the key rings located in \fI/etc/rpm/.gpg\fR
using the executable \fI/usr/bin/gpg\fR you would include
.PP
.nf
%_gpg_path /etc/rpm/.gpg
%_gpg_name John Doe <jdoe@foo.com>
%__gpg /usr/bin/gpg
.fi
.PP
in a macro configuration file. Use \fI/etc/rpm/macros\fR
for per-system configuration and \fI~/.rpmmacros\fR
for per-user configuration. Typically it's sufficient to set just %_gpg_name.
.PP
.SH "SEE ALSO"
.nf
\fBpopt\fR(3),
\fBrpm\fR(8),
\fBrpmdb\fR(8),
\fBrpmkeys\fR(8),
\fBrpm2cpio\fR(8),
\fBrpmbuild\fR(8),
\fBrpmspec\fR(8),
.fi
\fBrpmsign --help\fR - as rpm supports customizing the options via popt aliases
it's impossible to guarantee that what's described in the manual matches
what's available.
\fBhttp://www.rpm.org/ <URL:http://www.rpm.org/>
\fR
.SH "AUTHORS"
.nf
Marc Ewing <marc@redhat.com>
Jeff Johnson <jbj@redhat.com>
Erik Troan <ewt@redhat.com>
Panu Matilainen <pmatilai@redhat.com>
Fionnuala Gunter <fin@linux.vnet.ibm.com>
.fi
|