Skip to main content

Sign RPM files with GPG and RPM signing tool using Smartcard Daemon (SCD)

This article explores how you can sign RPM packages by leveraging GPG keys generated and stored in a DigiCert​​®​​ Software Trust Manager with RPM signing tool.

Nota

Certain versions of RHEL and CentOS, specifically versions 8 and 9, may encounter issues when attempting to use RPM signing in conjunction with Software Trust Manager when using a combination of a subkey and a master key. To address this issue, download a keyring with only a master key enabled for signing.

Prerequisites

Set up RPM signing

To set up GPG with RPM for signing.

  1. Install the rpm-sign utility:

    dnf install -y rpm-sign
  2. To export the public key:

    gpg –export -a “<gpg_key_name>” > “<gpg_key_name.asc>”

    Nota

    The gpg_key_name is the name of the key you received when setting up GPG.

  3. To import the key into the local RPM database:

    rpm --import “<gpg_key_name.asc>”
  4. To check if the key was imported:

    rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'

    Nota

    This should show you an entry for the key name you just imported.

  5. To create a .rpmmacros file in the logged-in user’s home directory:

    %_signature gpg
    %_gpg_path /root/.gnupg
    %_gpg_name <gpg_key_name>
    %_gpgbin /usr/bin/gpg2
    %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}'

    Nota

    This command is being run as the root user.

    Insert the name of your GPG key.

    You may also need to provide the GPG path using the root user's home directory.

Sign with RPM

To sign using the GPG key defined in the .rpmmacros file:

rpm --addsign <package_name>.rpm

Command sample:

rpm --addsign hello-2.10-6.fc35.x86_64.rpm

Command output:

hello-2.10-6.fc35.x86_64.rpm:
gpg: writing to 'hello-2.10-6.fc35.x86_64.rpm.sig'
gpg: RSA/SHA256 signature from: "A03E8CC672CFE1AD demo"  
gpg: writing to 'hello-2.10-6.fc35.x86_64.rpm.sig'
gpg: RSA/SHA256 signature from: "A03E8CC672CFE1AD demo"

Verify RPM signature

To verify a signed RPM:

rpm --checksig <package_name>.rpm

Command sample:

rpm --checksig hello-2.10-6.fc35.x86_64.rpm

Command output:

hello-2.10-6.fc35.x86_64.rpm: digests signatures OK

Nota

To verify the RPM on other machines, the exported public key will need to be imported into the RPM databases of the machines first.