Sign RPM files with GPG and RPM signing tool using Smartcard Daemon (SCD)
This article explores how you can sign RPM packages by leveraging GPG keys generated and stored in a DigiCert® Software Trust Manager with RPM signing tool.
Note
Certain versions of RHEL and CentOS, specifically versions 8 and 9, may encounter issues when attempting to use RPM signing in conjunction with Software Trust Manager when using a combination of a subkey and a master key. To address this issue, download a keyring with only a master key enabled for signing.
Prerequisites
Install GPG
Install and configure one of the following:
Software Trust Manager SCD (recommended)
GPG key
Set up RPM signing
To set up GPG with RPM for signing.
Install the rpm-sign utility:
dnf install -y rpm-sign
To export the public key:
gpg –export -a “<gpg_key_name>” > “<gpg_key_name.asc>”
Note
The gpg_key_name is the name of the key you received when setting up GPG.
To import the key into the local RPM database:
rpm --import “<gpg_key_name.asc>”
To check if the key was imported:
rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
Note
This should show you an entry for the key name you just imported.
To create a .rpmmacros file in the logged-in user’s home directory:
%_signature gpg %_gpg_path /root/.gnupg %_gpg_name <gpg_key_name> %_gpgbin /usr/bin/gpg2 %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}'
Note
This command is being run as the root user.
Insert the name of your GPG key.
You may also need to provide the GPG path using the root user's home directory.
Sign with RPM
To sign using the GPG key defined in the .rpmmacros file:
rpm --addsign <package_name>.rpm
Command sample:
rpm --addsign hello-2.10-6.fc35.x86_64.rpm
Command output:
hello-2.10-6.fc35.x86_64.rpm: gpg: writing to 'hello-2.10-6.fc35.x86_64.rpm.sig' gpg: RSA/SHA256 signature from: "A03E8CC672CFE1AD demo" gpg: writing to 'hello-2.10-6.fc35.x86_64.rpm.sig' gpg: RSA/SHA256 signature from: "A03E8CC672CFE1AD demo"
Verify RPM signature
To verify a signed RPM:
rpm --checksig <package_name>.rpm
Command sample:
rpm --checksig hello-2.10-6.fc35.x86_64.rpm
Command output:
hello-2.10-6.fc35.x86_64.rpm: digests signatures OK
Note
To verify the RPM on other machines, the exported public key will need to be imported into the RPM databases of the machines first.