You are here

Signing RPMs

So you've built a shiny new RPM, let's say rubygem-cucumber-0.10.0-1.noarch.rpm, and you want to install it on a system. You enter the command:1

sudo yum install -y ./rubygem-cucumber-0.10.0-1.noarch.rpm

and then get this:

(some output removed)
Dependencies Resolved
 Package          Arch   Version        Repository                         Size
 rubygem-cucumber noarch 0.10.0-1       /rubygem-cucumber-0.10.0-1.noarch 3.3 M
Installing for dependencies:
 rubygem-builder  noarch 2.1.2-2.el5    epel                               81 k
 rubygem-diff-lcs noarch 1.1.2-3.el5    epel                              123 k
 rubygem-gherkin  x86_64 2.3.4-1        oberonproject                     1.2 M
 rubygem-json     x86_64 1.4.6-1        oberonproject                     469 k
                  noarch 1.0.5-1.el5    epel                               42 k
Transaction Summary
Install       6 Package(s)
Upgrade       0 Package(s)
Total size: 5.2 M
Downloading Packages:
Package rubygem-cucumber-0.10.0-1.noarch.rpm is not signed

Well, bummer. yum wants the RPM to be signed.2

To sign your RPM, you first need a GPG key. To create one, run gpg --gen-key and follow the instructions. Once it's created, you should be able to see it by running gpg --list-keys. (For the rest of this, I'm going to assume the key is named "Software Packager". Where you see this, replace it with the name for the key.)

In order for yum to allow using your key, you'll need to import it into the RPM database. First, export the key to a file:

gpg --export -a 'Software Packager' > RPM-GPG-KEY-packager

Now, import it into the RPM database:

sudo rpm --import RPM-GPG-KEY-packager

To tell rpmbuild to use this key, add the following lines to your .rpmmacros file:

%_signature gpg
%_gpg_name Software Packager

Since you have an RPM built, you can add a signature with rpm --addsign, like so:

rpm --addsign ./rubygem-cucumber-0.10.0-1.noarch.rpm

Now, when you run sudo yum install -y ./rubygem-cucumber-0.10.0-1.noarch.rpm, the RPM will install successfully.

If you want to sign RPMs automatically when you build them, which I suggest, add the --sign option to rpmbuild like so:

rpmbuild -ba --sign SPECS/rubygem-cucumber.spec

So now that you have signed RPMs, you surely want to put them in a local repository. I'll show you how to do that (or at least how I do it) in the near future.3

  • 1. You are doing this as a normal user and using sudo for anything that requires root privileges, right?
  • 2. Yes, you could just install it with sudo rpm -i ./rubygem-cucumber-0.10.0-1.noarch.rpm but then you have to manually install the dependencies as well. On a single machine, this may not be too bad, but this won't scale.

    You can also pass --nogpgcheck to yum install but this may be prohibited by your local security policies. For example, the NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5 recommends ensuring that all yum repositories check the GPG keys.)

  • 3. If you can't wait, check out the createrepo command.


This is awesome. I am not sure what I like better, the quality of the article or the fact that yum REQUIRES you to actually sign the package. One more thumbs up to RHEL. Now if I could just get an SSL Cert and Key pair to import via pkgadm. :-/

[...] 1. If you don't have signed RPMs yet, you might want to read my previous post. [...]

Add new comment